Solved System Infected Popup Alert

[Resolved] System Infected Popup Alert

I received a popup with an alert " System Infected" and a scan began immediately. I stopped the scan, thinking this was a sales gimmick as my computer was performing fine. I then ran Malwarebytes which quarantined 1 rogue. followed this up by sanning with Windows One Care which showed nothing. On Thursday, I began having issues with my computer , it began to run very slow and I have a problem accessing websites. I did a thorough cleaning of my system excluding defrag which was done earlier in the week. I saw no improvement. I contacted Dell support and a tech accessed my computer and found no problem. On Friday, I contacted my DSL provider, a speed test was done, no problem there, my line was checked and refreshed , still no improvement. I ran a Kaspersky and found that I may be infected, will include the report as well as the required reports.
I have a Dell Latitude Laptop with XP, service pack 3

DDS (Ver_09-03-16.01) - NTFSx86
Run by dee at 11:41:24.04 on Sat 04/04/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.493 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\dee\Desktop\dds(2).scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - No File
TB: {D0523BB4-21E7-11DD-9AB7-415B56D89593} - No File
EB: {2AA2FBF8-9C76-4E97-A226-25C5F4AB6358} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe "
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HostManager] c:\program files\common files\aol\1213497838\ee\AOLSoftware.exe
mRun: [Norton Ghost 14.0] "c:\program files\norton ghost\agent\VProTray.exe "
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe "
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe "
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: &Search
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 5.0\aoltb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file://c:\program files\masters of mystery - crime of fashion\images\armhelper.ocx
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file://c:\program files\book of legends\images\stg_drm.ocx
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
Notify: LMIinit - LMIinit.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dee\applic~1\mozilla\firefox\profiles\1fpt3l0j.default\
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\dee\application data\mozilla\firefox\profiles\1fpt3l0j.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-6-14 3456]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-2-23 325640]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-2-23 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-2-23 107912]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-1-23 47640]
R3 SymSnapService;SymSnapService;c:\program files\norton ghost\shared\drivers\SymSnapService.exe [2007-12-20 1553896]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe --> c:\progra~1\avg\avg8\avgemc.exe [?]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe --> c:\progra~1\avg\avg8\avgwdsvc.exe [?]
S2 gupdate1c9b2e1ff071fd4;Google Update Service (gupdate1c9b2e1ff071fd4);c:\program files\google\update\GoogleUpdate.exe [2009-4-1 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile= "%1" %*

=============== Created Last 30 ================

2009-04-01 11:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\RealArcade
2009-04-01 11:54 <DIR> --d----- c:\program files\Zylom Games
2009-04-01 11:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Zylom
2009-03-31 12:12 <DIR> --d----- c:\program files\iPod
2009-03-31 12:11 <DIR> --d----- c:\program files\iTunes
2009-03-31 12:11 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-03-31 10:45 5 a------- c:\windows\system32\drivers\DELL_LAT_131L.MRK
2009-03-31 10:45 5 a------- c:\windows\system32\drivers\1028_DELL_LAT_131L.MRK
2009-03-30 16:41 <DIR> --d----- c:\program files\iolo
2009-03-30 16:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2009-03-30 15:37 <DIR> --d----- c:\program files\SolidDocuments
2009-03-30 15:37 <DIR> --d----- c:\docume~1\dee\applic~1\SolidDocuments
2009-03-30 15:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SolidDocuments
2009-03-29 19:26 <DIR> --d----- c:\program files\Legacy Interactive
2009-03-29 17:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Far Mills
2009-03-29 17:21 <DIR> --d----- c:\program files\Detective Agency
2009-03-29 17:04 <DIR> --d----- c:\program files\SNATCHDATA
2009-03-29 15:25 <DIR> --d----- c:\docume~1\dee\applic~1\FastStone
2009-03-29 15:24 <DIR> --d----- c:\program files\FastStone Capture
2009-03-29 08:14 <DIR> --d----- c:\program files\Mozilla Firefox(2)
2009-03-26 12:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AdventureChronicles1
2009-03-22 18:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TheRace_dev
2009-03-16 18:40 <DIR> --d----- c:\program files\Hidden Expedition Titanic
2009-03-16 18:40 <DIR> --d----- c:\program files\BFG
2009-03-16 03:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FireGlow
2009-03-13 22:42 <DIR> --d----- c:\docume~1\dee\applic~1\Three days
2009-03-13 20:55 <DIR> --d----- c:\docume~1\dee\applic~1\Shape games
2009-03-13 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Playrix Entertainment
2009-03-10 21:56 30 a------- c:\windows\sav.ini
2009-03-08 06:16 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-08 06:15 <DIR> --d----- C:\ee52deb3a32214d34a4b7cc852002a
2009-03-08 06:14 <DIR> --d----- C:\f14f884af4bf78a19da1
2009-03-06 20:50 <DIR> --d----- c:\docume~1\dee\applic~1\Artogon
2009-03-05 23:52 <DIR> --d----- c:\docume~1\dee\applic~1\Total Eclipse

==================== Find3M ====================

2009-03-28 12:55 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-28 12:55 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-28 12:55 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-26 16:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 16:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-18 10:09 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-03 17:14 949,384 a------- c:\windows\system32\gdocrplug.tesseract.dll
2009-02-03 17:13 130,184 a------- c:\windows\system32\GDTWAIN.DLL
2009-02-03 17:13 2,134,664 a------- c:\windows\system32\gdimgplug.dll
2009-02-03 17:13 1,296,520 a------- c:\windows\system32\gdpdfplug.dll
2009-01-25 12:56 61,224 a------- c:\documents and settings\dee\GoToAssistDownloadHelper.exe
2009-01-24 21:00 4,096 a------- c:\windows\d3dx.dat
2008-10-17 14:29 1,300,048 a------- c:\docume~1\alluse~1\applic~1\pswi_preloaded.exe
2008-07-07 15:35 774,144 a------- c:\program files\RngInterstitial.dll
2002-07-01 10:13 224 a--sh--- c:\docume~1\dee\applic~1\maildriver32.dat
2008-10-17 14:31 8 ---shr-- c:\windows\system32\614AE4A6D2.sys
2008-11-29 10:34 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112920081130\index.dat

============= FINISH: 11:42:10.18 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 6/14/2008 6:22:29 PM
System Uptime: 4/4/2009 8:16:46 AM (3 hours ago)

Motherboard: Dell Inc. | | 0PM607
Processor: AMD Turion(tm) 64 X2 Mobile Technology TL-50 | Socket M2/S1G1 | 1596/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 149 GiB total, 113.945 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 2/25/2009 11:54:31 PM - System Checkpoint
RP2: 2/25/2009 11:56:11 PM - disinfecting
RP3: 2/26/2009 11:11:28 PM - Software Distribution Service 3.0
RP4: 2/27/2009 7:47:36 PM - Installed Becharmed
RP5: 2/28/2009 9:17:07 PM - Removed Becharmed
RP6: 3/1/2009 6:01:50 PM - Installed Becharmed
RP7: 3/1/2009 6:06:03 PM - Revo Uninstaller's restore point - Becharmed
RP8: 3/1/2009 7:34:28 PM - Installed Charm Tale 2
RP9: 3/2/2009 4:19:02 AM - Revo Uninstaller's restore point - Magic Farm
RP10: 3/4/2009 5:31:42 PM - Avg8 Update
RP11: 3/6/2009 9:35:18 PM - System Checkpoint
RP12: 3/7/2009 10:52:57 PM - System Checkpoint
RP13: 3/8/2009 5:13:17 AM - Installed Windows Media Player 11
RP14: 3/8/2009 5:14:10 AM - Software Distribution Service 3.0
RP15: 3/8/2009 4:13:04 PM - Software Distribution Service 3.0
RP16: 3/8/2009 4:28:15 PM - Software Distribution Service 3.0
RP17: 3/9/2009 2:00:17 AM - Software Distribution Service 3.0
RP18: 3/11/2009 2:00:16 AM - Software Distribution Service 3.0
RP19: 3/12/2009 4:05:06 AM - System Checkpoint
RP20: 3/13/2009 10:20:20 AM - System Checkpoint
RP21: 3/14/2009 4:13:38 PM - System Checkpoint
RP22: 3/14/2009 11:43:16 PM - Software Distribution Service 3.0
RP23: 3/15/2009 1:47:02 AM - Revo Uninstaller's restore point - Amazing Finds
RP24: 3/15/2009 1:51:12 AM - Revo Uninstaller's restore point - Hidden Relics
RP25: 3/15/2009 1:51:48 AM - Removed Hidden Relics
RP26: 3/16/2009 2:37:19 AM - System Checkpoint
RP27: 3/16/2009 6:41:45 PM - Revo Uninstaller's restore point - Hidden Expedition - Titanic
RP28: 3/16/2009 6:42:00 PM - Removed Hidden Expedition - Titanic
RP29: 3/18/2009 9:47:13 AM - Avg8 Update
RP30: 3/19/2009 2:45:36 PM - System Checkpoint
RP31: 3/20/2009 6:01:40 PM - System Checkpoint
RP32: 3/22/2009 10:46:49 AM - System Checkpoint
RP33: 3/22/2009 8:01:49 PM - Revo Uninstaller's restore point - Hidden Jewel Adventure
RP34: 3/22/2009 8:08:49 PM - Revo Uninstaller's restore point - Tahiti Hidden Pearl
RP35: 3/24/2009 8:49:05 AM - System Checkpoint
RP36: 3/25/2009 10:45:49 AM - Revo Uninstaller's restore point - Anabel 1.00
RP37: 3/26/2009 10:24:20 PM - Software Distribution Service 3.0
RP38: 3/27/2009 3:04:31 AM - Revo Uninstaller's restore point - RadarSync
RP39: 3/27/2009 9:40:49 AM - Avg8 Update
RP40: 3/28/2009 12:55:19 PM - Configured AVG Free 8.5
RP41: 3/28/2009 1:07:42 PM - Avg8 Update
RP42: 3/28/2009 3:46:37 PM - Revo Uninstaller's restore point - Jewels of Sinai
RP43: 3/28/2009 3:50:45 PM - Revo Uninstaller's restore point - iTunes
RP44: 3/28/2009 3:52:50 PM - Removed iTunes
RP45: 3/29/2009 7:49:49 AM - Restore Operation
RP46: 3/29/2009 7:58:00 AM - Restore Operation
RP47: 3/29/2009 8:05:41 AM - Revo Uninstaller's restore point - Jewels of Sinai
RP48: 3/29/2009 8:07:13 AM - Revo Uninstaller's restore point - Mozilla Firefox (3.0.8)
RP49: 3/30/2009 2:50:29 PM - System Checkpoint
RP50: 3/30/2009 6:57:38 PM - Revo Uninstaller's restore point - AVG Free 8.0
RP51: 3/30/2009 7:07:11 PM - Revo Uninstaller's restore point - AVG Free 8.0
RP52: 3/31/2009 8:26:23 AM - Restore Operation
RP53: 3/31/2009 9:00:42 AM - Revo Uninstaller's restore point - AVG Free 8.0
RP54: 3/31/2009 10:45:36 AM - Installed Notebook System Software
RP55: 3/31/2009 11:04:29 AM - Cleaned registry with Windows Live OneCare safety scanner
RP56: 3/31/2009 12:06:52 PM - Restore Operation
RP57: 3/31/2009 12:48:03 PM - Revo Uninstaller's restore point - Mozilla Firefox (3.0.8)
RP58: 3/31/2009 12:58:02 PM - Revo Uninstaller's restore point - Mozilla Firefox (3.0.8)
RP59: 4/1/2009 2:47:23 PM - Cleaned registry with Windows Live OneCare safety scanner
RP60: 4/2/2009 9:06:37 PM - Revo Uninstaller's restore point - Treasures Of The Ancient Cavern
RP61: 4/3/2009 10:22:54 AM - Installed DirectX for Managed Code Update (Summer 2004)
RP62: 4/3/2009 9:36:18 PM - Revo Uninstaller's restore point - AVG 8.5

==== Installed Programs ======================


2007 Microsoft Office Suite Service Pack 1 (SP1)
4 Elements 1.0
ABBYY FineReader 5.0 Sprint Plus
Abundante!
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1
Adobe Shockwave Player 11
Adventure Chronicles
AI RoboForm (All Users)
Amazing Adventures Around the World(TM)
AMD Processor Driver
Ancient Wonderland (remove only)
AOL Toolbar 5.0
AOL Uninstaller (Choose which Products to Remove)
Apiary Quest
Apple Mobile Device Support
Apple Software Update
Around the World in 80 Days
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Big City Adventure-Sydney Australia
Bonjour
Broadcom 440x 10/100 Integrated Controller
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Localization Chinese Standard
Catalyst Control Center Localization Chinese Traditional
Catalyst Control Center Localization French
Catalyst Control Center Localization German
Catalyst Control Center Localization Italian
Catalyst Control Center Localization Japanese
Catalyst Control Center Localization Korean
Catalyst Control Center Localization Portuguese
Catalyst Control Center Localization Spanish
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help English
CCC Help French
CCC Help German
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Portuguese
CCC Help Spanish
CCleaner (remove only)
Charm Tale 2
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Cuties (remove only)
Dell Resource CD
Dell Support Center (Support Software)
Dell Wireless WLAN Card
Diamond Detective
DirectX for Managed Code Update (Summer 2004)
Dragon Stone
Enigma 7
Forgotten Riddles
GameHouse
GdTwain ActiveX
Golden Path
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
GoToAssist 8.0.0.514
Great Secrets: Da Vinci
Hawaiian Explorer Lost Island
Hidden Expedition - Everest
Hidden Expedition Titanic (remove only)
Hidden World Of Art 1.00
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Insider Tales The Stolen Venus 1.00
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Jetsetter v1.0
Jewel Match 2
Jewel Quest
Jewel Quest (remove only)
Jewel Quest Mysteries
Kaspersky Online Scanner
Lexmark X6100 Series
Lexmark Z600 Series
Little Shop - City Lights
Little Shop of Treasures
LiveUpdate 3.2 (Symantec Corporation)
LogMeIn
Magic Jigsaw
Magic Runes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
MostFun - Big City Adventure: San Francisco
MostFun.com Games - Great Secrets: Da Vinci (remove only)
MostFun.com Games - Jewel Quest (remove only)
MostFun.com Games - National Geographic Games Herod's Lost Tomb (remove only)
MostFun.com Games - Treasure Masters (remove only)
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Mystery Case Files Huntsville
National Geographic Games Herod's Lost Tomb
Nick Chase - A Detective Story
Norton Ghost
oceanix
PC Fixer
Pharaoh Puzzle
Pirateville
Print to Fax
QuickTime
Rainforest Adventure
RealArcade
Revo Uninstaller 1.80
Rhombis
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Scrapbook Paige
Sea Journey
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SigmaTel Audio
Skins
Sonic Update Manager
Sparkle
Spirit of Wandering - The Legend
SpywareBlaster 4.1
Super Collapse Puzzle Gallery 4
Super Collapse! 3
Super Jigsaw Adorable Animals 2
Super Jigsaw Beach Holiday 2
Super Jigsaw Lighthouses
Synaptics Pointing Device Driver
The Amazon Adventure (remove only)
The Hidden Prophecies of Nostradamus 1.00
The Legend of El Dorado
The Legend of Tirnanog
The Serpent of Isis â„¢
Three Days Beta 1.00
Tibet Quest 1.00
Time Quest
Treasure Masters
Tropix(TM) 2 - The Quest For the Golden Banana
Try Corel Snapfire muvee autoProducer add on
Unicorn Castle 1.0
Uninstall AOL Emergency Connect Utility 1.0
Update for Office 2007 (KB946691)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Val Gor
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Web Games Player Plugin
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WordPerfect Office X3
Zuma Deluxe

==== Event Viewer Messages From Past Week ========

3/31/2009 7:12:46 AM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The service has returned a service-specific error code.
3/31/2009 7:12:46 AM, error: Service Control Manager [7024] - The AVG Free8 WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
3/29/2009 7:30:07 AM, error: Service Control Manager [7016] - The BrSplService service has reported an invalid current state 0.
3/31/2009 9:13:21 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the file specified.
3/31/2009 9:13:21 AM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the file specified.
3/31/2009 9:27:33 AM, error: Service Control Manager [7000] - The AVG Free8 WatchDog service failed to start due to the following error: The system cannot find the path specified.
3/31/2009 9:27:33 AM, error: Service Control Manager [7001] - The AVG Free8 E-mail Scanner service depends on the AVG Free8 WatchDog service which failed to start because of the following error: The system cannot find the path specified.
3/31/2009 9:28:49 AM, error: Service Control Manager [7022] - The dvpapi service hung on starting.
3/31/2009 11:20:37 AM, error: Service Control Manager [7001] - The Print Spooler service depends on the LexBce Server service which failed to start because of the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
4/2/2009 11:07:07 AM, error: Dhcp [1002] - The IP address lease 192.168.0.6 for the Network Card with network address 00197DAFA1D7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
4/3/2009 7:53:09 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: atiide
4/3/2009 11:18:48 AM, error: Dhcp [1002] - The IP address lease 192.168.0.3 for the Network Card with network address 00197DAFA1D7 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
4/3/2009 2:49:33 PM, error: Dhcp [1002] - The IP address lease 192.168.1.96 for the Network Card with network address 00197DAFA1D7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
4/3/2009 2:49:35 PM, error: Dhcp [1002] - The IP address lease 0.0.0.0 for the Network Card with network address 00197DAFA1D7 has been denied by the DHCP server 192.168.1.254 (The DHCP Server sent a DHCPNACK message).
4/3/2009 9:46:28 PM, error: Server [2505] - The server could not bind to the transport \Device\NetBT_Tcpip_{5A46B5F6-5A3D-4471-8C32-C06CF781F938} because another computer on the network has the same name. The server could not start.
4/3/2009 10:11:48 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments " " in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/3/2009 10:13:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 AvgLdx86 AvgMfx86 Fips
4/4/2009 3:17:43 AM, error: Dhcp [1002] - The IP address lease 192.168.0.2 for the Network Card with network address 00197DAFA1D7 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, April 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, April 04, 2009 10:15:08
Records in database: 2008976
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 158745
Threat name 1
Infected objects 8
Suspicious objects 0
Duration of the scan 02:59:21

File name Threat name Threats count
C:\Documents and Settings\dee\Desktop\Kids_Flash_Games_75in1__AIO__ferrocan.rar Infected: Trojan-Dropper.Win32.VB.lhn 8
The selected area was scanned.
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, April 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, April 04, 2009 10:15:08
Records in database: 2008976
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 158745
Threat name 1
Infected objects 8
Suspicious objects 0
Duration of the scan 02:59:21

File name Threat name Threats count
C:\Documents and Settings\dee\Desktop\Kids_Flash_Games_75in1__AIO__ferrocan.rar Infected: Trojan-Dropper.Win32.VB.lhn 8
The selected area was scanned.

 

Hi and welcome


Let's first try to remove the infected file.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.




Please download OTMoveIt3 by OldTimer and save it to your desktop

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:Files
C:\Documents and Settings\dee\Desktop\Kids_Flash_Games_75in1__AIO__ferrocan.rar
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.




Download worksnow from HERE:

[color= "purple"]* IMPORTANT !!! Save worksnow to your Desktop[/color]

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  
  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
  
• Double click on worksnow & follow the prompts.
  
  Note: worksnow will run without the Recovery Console installed.
  
• As part of it's process, combofix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

[color= "blue"]**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[/color]

​

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
"copy/paste" a new HijackThis log file into this thread as well.

Notes:

1.[color= "red"]Do not mouse-click Combofix's window while it is running. That may cause it to stall.[/color]
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.


In your next reply please post:
OTMoveIt log
ComboFix.txt


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thanks Juliet for responding. I have 2 issues, one is impeding my progress. I called Dell about the Recovery Console on my Latittude and was told this model wasn't built for a Recovery Console. When I attempt to run Combofix through worksnow, I keep getting error messages. I went to Combofix and it downloaded and attempted to run but kept warning me AVG was active, cannot find AVG on my computer. I uninstalled Avg several days ago and just realized I never installed another antivirus. Any advice?

Dee

 

Don't worry over what Dell told you, has nothing to do with what I need you to install on the machine.

Can you make ComboFix run anyway?
Can you boot into safemode and try to run it from there?

 

Combofix will not run in Safe Mode. I have looked everywhere I know to look for AVG and can not find it. It does not look like Combofix is going to run until I get the AVG issue reaolved.

Dee

 

Let's see if OTMoveIt can find it.

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:Files
C:\Program Files\AVG
C:\Program Files\AVG\AVG8
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.




NEXT**
Download SDFix or from Here and save it to your Desktop

Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following
:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows
  icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load
  your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the
  forum).
• Finally paste the contents of the SDFix Report.txt back on the forum with a new HijackThis log

In your next reply post:
OTMoveIt log
SDFix report.txt

 

Hope I have done everything correctly and post everything you requested.Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:53 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: (no name) - {399d96ca-6f9a-4fff-95fe-284e45ebb935} - (no file)
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe "
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Book of Legends\Images\stg_drm.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Masters of Mystery - Crime of Fashion\Images\armhelper.ocx
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9b2e1ff071fd4) (gupdate1c9b2e1ff071fd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13312 bytes
Error: Unable to interpret <Processes> in the current context!
Error: Unable to interpret <explorer.exe> in the current context!
========== FILES ==========
C:\Program Files\AVG\AVG8 moved successfully.
C:\Program Files\AVG moved successfully.
File/Folder C:\Program Files\AVG\AVG8 not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\dee\LOCALS~1\Temp\Perflib_Perfdata_d80.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_70.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_b80.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_d0.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04082009_183726

 

SDFix: Version 1.240
Run by dee on Wed 04/08/2009 at 07:03 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\teva\Application Data\Adobe\crc.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-08 19:28:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "
"DeviceNotSelectedTimeout "= "15 "
"GDIProcessHandleQuota "=dword:00002710
"Spooler "= "yes "
"swapdisk "=" "
"TransmissionRetryTimeout "= "90 "
"USERProcessHandleQuota "=dword:00002710
"LoadAppInit_DLLs "=dword:00000001

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe "= "C:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe:*:Enabled:AOL Connectivity Service Dialer "
"C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe "= "C:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe:*:Enabled:AOL Connectivity Service "
"C:\\Program Files\\Common Files\\aol\\1213497838\\ee\\aolsoftware.exe "= "C:\\Program Files\\Common Files\\aol\\1213497838\\ee\\aolsoftware.exe:*:Enabled:AOL Shared Components "
"C:\\Program Files\\AOL 9.1\\waol.exe "= "C:\\Program Files\\AOL 9.1\\waol.exe:*:Enabled:AOL "
"C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe "= "C:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe:*:Enabled:AOL TopSpeed "
"C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe "= "C:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe:*:Enabled:AOL Loader "
"C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe "= "C:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe:*:Enabled:AOL System Information "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "= "C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe:*:Enabled:Malwarebytes' Anti-Malware "
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "= "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote "
"C:\\WINDOWS\\system32\\dpnsvr.exe "= "C:\\WINDOWS\\system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "= "C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour "
"C:\\WINDOWS\\system32\\dxdiag.exe "= "C:\\WINDOWS\\system32\\dxdiag.exe:*:Enabled:Microsoft DirectX Diagnostic Tool "
"C:\\Program Files\\Java\\jre6\\bin\\javaw.exe "= "C:\\Program Files\\Java\\jre6\\bin\\javaw.exe:*:Enabled:Java(TM) Platform SE binary "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"%windir%\\Network Diagnostic\\xpnetdiag.exe "= "%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000 "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 5 Feb 2009 46,376 A..H. --- "C:\Program Files\AOL 9.1\AOLphx.exe "
Thu 6 Mar 2008 54,624 A..H. --- "C:\Program Files\AOL 9.1\AOLphxex.exe "
Tue 3 Jun 2008 33,120 A..H. --- "C:\Program Files\AOL 9.1\rbm.exe "
Fri 27 Feb 2009 2,495,824 ...H. --- "C:\Program Files\The Serpent of Isis\SerpentOfIsis.exe "
Fri 17 Oct 2008 8 ..SHR --- "C:\WINDOWS\system32\614AE4A6D2.sys "
Wed 18 Mar 2009 3,766 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys "
Sun 8 Mar 2009 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp "
Fri 2 May 2008 3,493,888 A..H. --- "C:\Documents and Settings\dee\Application Data\U3\temp\Launchpad Removal.exe "
Sat 14 Jun 2008 96,072 ...H. --- "C:\Program Files\Common Files\aol\TopSpeed\3.0\WBUnins.exe "
Thu 8 May 2008 951,624 A..H. --- "C:\Documents and Settings\dee\Desktop\Games Installer 2\persian\Sherlock Holmes - The Mystery of the Persian Carpet\qdxrmcx.exe "

Finished!

 

Let's take out the remaining services for AVG8

• Double-click OTMoveIt3.exe to run it.
• Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:services
avg8emc 
avg8wd
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.



Please try to run ComboFix again.

 

Still cannot run combofix, AVG still active.


========== PROCESSES ==========

Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========

Service\Driver avg8emc deleted successfully.

Service\Driver avg8wd deleted successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\dee\LOCALS~1\Temp\etilqs_oN7BBLB9MIhdRbpbvFJj scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\dee\LOCALS~1\Temp\Perflib_Perfdata_dd4.dat scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\load_v6[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\m93199773[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\tpp[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\anatp[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\ke_blank[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\optn=64[1] scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\pass[1].html scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\index[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcode3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcodewads_at[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcodewads_at[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\adpage[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\anatp[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\minilistings_setup[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcode3[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcode3[2].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcodewads_at[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tpp[1].html scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_4f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_884.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.10.0 log created on 04082009_201006

Files moved on Reboot...
File C:\DOCUME~1\dee\LOCALS~1\Temp\etilqs_oN7BBLB9MIhdRbpbvFJj not found!
File C:\DOCUME~1\dee\LOCALS~1\Temp\Perflib_Perfdata_dd4.dat not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\load_v6[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\m93199773[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\W8ZMNBMU\tpp[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\anatp[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\ke_blank[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\optn=64[1] not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\QDKXO3Y9\pass[1].html not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\index[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcode3[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcodewads_at[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\OJ2LGZUV\tcodewads_at[2].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\adpage[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\anatp[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\minilistings_setup[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcode3[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcode3[2].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tcodewads_at[1].htm not found!
File C:\Documents and Settings\dee\Local Settings\Temporary Internet Files\Content.IE5\F8L2Y655\tpp[1].html not found!
File C:\WINDOWS\temp\Perflib_Perfdata_4f8.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_7ac.dat not found!
C:\WINDOWS\temp\Perflib_Perfdata_884.dat moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\dee\Local Settings\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\XUL.mfl moved successfully.

 

Let's see if we can move on to something else.

I have seen where people downloaded AVG just to uninstall it properly.



Please run a free online scan with the [color= "blue"]ESET Online Scanner[/color]
Note: You will need to use Internet Explorer for this scan.

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the ActiveX control to install
4. Click Start
5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
6. Click Scan
   Wait for the scan to finish
7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
8. Copy and paste that log as a reply to this topic

 

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=5
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.5799
# api_version=3.0.2
# EOSSerial=79c1ef1a447be44fb93d5171f27c1952
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-04-09 02:47:06
# local_time=2009-04-08 10:47:06 (-0500, Eastern Daylight Time)
# country= "United States "
# lang=9
# osver=5.1.2600 NT Service Pack 3
# scanned=162953
# found=1
# cleaned=1
# scan_time=3746
C:\Documents and Settings\dee\Desktop\Misc Installers\setupxv(2).exe multiple threats (deleted - quarantined) 00000000000000000000000000000000
I have several system errors and most of involve AVG, something occurred at some time. [/B][/B]

 

I knew there was a AVG removal tool from Kaspersky just took me a while to find it.


Fail to install Kaspersky Anti-Virus product version 2009 due to 'remains' of Anti-Virus AVG8 in the system
http://www.kaspersky.com/support/kis2009/install?qid=208279831


scroll down to
To resolve the situation you should do the following:

* Cancel the current installation of Kaspersky Anti-Virus version 2009
* download the archive avg8.zip

Download and use the zip file, then try to run ComboFix.

 

ComboFix 09-04-04.01 - dee 2009-04-09 9:07:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.296 [GMT -4:00]
Running from: c:\documents and settings\dee\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\QUAD Utilities

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2009-03-09 to 2009-04-09 )))))))))))))))))))))))))))))))
.

2009-04-08 21:39 . 2009-04-08 21:39 <DIR> d-------- c:\program files\ESET
2009-04-08 19:36 . 2009-04-08 19:36 <DIR> d-------- c:\program files\Trend Micro
2009-04-08 19:02 . 2009-04-08 19:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-04-08 18:58 . 2009-04-08 18:59 <DIR> d-------- c:\windows\ERUNT
2009-04-08 18:46 . 2009-04-08 19:31 <DIR> d-------- C:\SDFix
2009-04-08 11:08 . 2009-04-08 11:08 <DIR> d-------- C:\_OTMoveIt
2009-04-08 09:59 . 2009-04-08 09:59 <DIR> d-------- c:\program files\iTunes
2009-04-08 09:59 . 2009-04-08 09:59 <DIR> d-------- c:\program files\iPod
2009-04-08 09:59 . 2009-04-08 09:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-07 06:55 . 2009-04-07 06:55 <DIR> d-------- c:\documents and settings\SAvannah
2009-04-06 12:41 . 2009-04-06 12:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fugazo
2009-04-01 11:54 . 2009-04-01 11:54 <DIR> d-------- c:\program files\Zylom Games
2009-04-01 11:54 . 2009-04-01 11:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Zylom
2009-04-01 11:54 . 2009-04-01 11:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\RealArcade
2009-03-31 10:57 . 2009-04-01 10:50 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-31 10:45 . 2009-03-31 10:45 5 --a------ c:\windows\system32\drivers\DELL_LAT_131L.MRK
2009-03-31 10:45 . 2009-03-31 10:45 5 --a------ c:\windows\system32\drivers\1028_DELL_LAT_131L.MRK
2009-03-30 16:41 . 2009-03-31 12:10 <DIR> d-------- c:\program files\iolo
2009-03-30 16:23 . 2009-03-31 12:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo
2009-03-30 15:37 . 2009-03-30 15:37 <DIR> d-------- c:\program files\SolidDocuments
2009-03-30 15:37 . 2009-03-31 11:18 <DIR> d-------- c:\documents and settings\dee\Application Data\SolidDocuments
2009-03-30 15:36 . 2009-03-30 15:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\SolidDocuments
2009-03-29 19:26 . 2009-03-29 19:26 <DIR> d-------- c:\program files\Legacy Interactive
2009-03-29 17:22 . 2009-03-29 17:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Far Mills
2009-03-29 17:21 . 2009-03-31 12:10 <DIR> d-------- c:\program files\Detective Agency
2009-03-29 17:04 . 2009-03-29 17:04 <DIR> d-------- c:\program files\SNATCHDATA
2009-03-29 15:25 . 2009-03-29 15:25 <DIR> d-------- c:\documents and settings\dee\Application Data\FastStone
2009-03-29 15:24 . 2009-03-31 12:10 <DIR> d-------- c:\program files\FastStone Capture
2009-03-29 08:14 . 2009-03-31 12:10 <DIR> d-------- c:\program files\Mozilla Firefox(2)
2009-03-26 12:07 . 2009-03-26 12:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\AdventureChronicles1
2009-03-22 18:32 . 2009-03-22 18:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\TheRace_dev
2009-03-16 18:40 . 2009-03-16 18:40 <DIR> d-------- c:\program files\Hidden Expedition Titanic
2009-03-16 18:40 . 2009-03-16 18:40 <DIR> d-------- c:\program files\BFG
2009-03-16 03:39 . 2009-03-16 03:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\FireGlow
2009-03-13 22:42 . 2009-03-13 22:43 <DIR> d-------- c:\documents and settings\dee\Application Data\Three days
2009-03-13 20:55 . 2009-03-13 20:55 <DIR> d-------- c:\documents and settings\dee\Application Data\Shape games
2009-03-13 18:42 . 2009-03-13 18:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Playrix Entertainment
2009-03-10 21:56 . 2009-03-11 20:15 30 --a------ c:\windows\sav.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-09 08:06 --------- d-----w c:\program files\LogMeIn
2009-04-08 14:11 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-04-08 13:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-08 13:58 --------- d-----w c:\program files\Common Files\Apple
2009-04-07 22:00 --------- d-----w c:\program files\QuickTime
2009-04-07 20:10 --------- d-----w c:\documents and settings\dee\Application Data\Apple Computer
2009-04-06 19:07 --------- d-----w c:\program files\RealArcade
2009-04-05 22:18 --------- d-----w c:\documents and settings\dee\Application Data\iWin
2009-04-05 07:37 --------- d-----w c:\program files\Java
2009-04-04 00:18 --------- d-----w c:\documents and settings\dee\Application Data\Digital Support
2009-04-03 00:53 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 00:52 --------- d-----w c:\program files\SpywareBlaster
2009-04-01 15:54 --------- d-----w c:\program files\Google
2009-03-31 16:09 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-25 14:46 --------- d-----w c:\program files\Games
2009-03-23 23:51 --------- d-----w c:\documents and settings\dee\Application Data\JewelMatch2
2009-03-23 00:01 --------- d-----w c:\program files\Oberon Media
2009-03-22 00:58 --------- d-----w c:\program files\MostFun
2009-03-22 00:58 --------- d-----w c:\documents and settings\All Users\Application Data\NeoEdge Networks
2009-03-19 20:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 00:37 --------- d-----w c:\program files\Hawaiian Explorer Lost Island
2009-03-17 17:18 --------- d-----w c:\documents and settings\dee\Application Data\Big Fish Games
2009-03-16 22:43 --------- d-----w c:\program files\LeeGTs Games
2009-03-16 18:52 --------- d-----w c:\program files\Mystery Case Files Huntsville
2009-03-16 07:38 --------- d-----w c:\program files\GameTop.com
2009-03-15 16:09 --------- d-----w c:\program files\Common Files\Adobe
2009-03-09 18:51 --------- d-----w c:\program files\Digital Support
2009-03-08 10:16 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-08 00:07 --------- d-----w c:\program files\The Legend of Tirnanog
2009-03-07 00:50 --------- d-----w c:\documents and settings\dee\Application Data\Artogon
2009-03-06 03:52 --------- d-----w c:\documents and settings\dee\Application Data\Total Eclipse
2009-03-05 17:50 --------- d-----w c:\documents and settings\All Users\Application Data\PlayPond
2009-03-03 03:18 --------- d-----w c:\program files\iWin.com
2009-03-02 19:57 --------- d-----w c:\documents and settings\dee\Application Data\PlayFirst
2009-03-02 19:57 --------- d-----w c:\documents and settings\All Users\Application Data\PlayFirst
2009-03-02 09:11 --------- d-----w c:\documents and settings\dee\Application Data\Meridian93
2009-03-01 23:07 --------- d-----w c:\program files\Superluminal
2009-03-01 09:50 --------- d-----w c:\documents and settings\dee\Application Data\BrandX Games
2009-03-01 09:19 --------- d-----w c:\documents and settings\dee\Application Data\SerpentOfIsis
2009-03-01 09:13 --------- d-----w c:\documents and settings\dee\Application Data\TeamViewer
2009-03-01 08:48 --------- d-----w c:\documents and settings\dee\Application Data\SpinTop Games
2009-03-01 08:36 --------- d-----w c:\program files\The Serpent of Isis
2009-03-01 01:17 --------- d-----w c:\program files\Playrix Entertainment
2009-02-27 09:12 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 11:35 --------- d-----w c:\documents and settings\All Users\Application Data\Dell
2009-02-26 01:30 --------- d-----w c:\documents and settings\dee\Application Data\Divo Games
2009-02-26 01:28 --------- d-----w c:\program files\Sea Journey
2009-02-25 04:53 --------- d-----w c:\program files\AOL 9.1
2009-02-23 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-23 11:05 --------- d-----w c:\documents and settings\NetworkService\Application Data\SACore
2009-02-22 20:52 --------- d-----w c:\program files\MSN Messenger
2009-02-22 02:08 --------- d-----w c:\documents and settings\dee\Application Data\TimeQuest
2009-02-22 02:06 --------- d-----w c:\program files\Time Quest
2009-02-21 06:38 --------- d-----w c:\documents and settings\All Users\Application Data\Big Fish Games Vancouver
2009-02-21 05:57 --------- d-----w c:\documents and settings\dee\Application Data\PoBros
2009-02-21 05:57 --------- d-----w c:\documents and settings\All Users\Application Data\PoBros
2009-02-20 01:01 --------- d-----w c:\documents and settings\dee\Application Data\RobinsonCrusoe
2009-02-19 15:01 --------- d-----w c:\documents and settings\dee\Application Data\TMInc
2009-02-19 05:35 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-19 05:24 --------- d-----w c:\program files\Lavasoft
2009-02-19 05:24 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-19 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-02-19 02:17 --------- d-----w c:\program files\Alwil Software
2009-02-19 02:02 --------- d-----w c:\documents and settings\dee\Application Data\Flood Light Games
2009-02-19 02:02 --------- d-----w c:\documents and settings\All Users\Application Data\Flood Light Games
2009-02-17 22:05 --------- d-----w c:\program files\Hide & Secret 2 - Cliffhanger Castle
2009-02-14 21:59 --------- d-----w c:\documents and settings\dee\Application Data\URSE Games
2009-02-11 21:10 --------- d-----w c:\documents and settings\dee\Application Data\Pirateville
2009-02-11 19:56 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-11 18:06 --------- d-----w c:\program files\Apiary Quest
2009-02-11 15:00 --------- d-----w c:\program files\Bonjour
2009-02-11 05:34 --------- d-----w c:\program files\GameHouse
2009-02-11 01:09 --------- d-----w c:\documents and settings\dee\Application Data\Realv1005
2009-02-09 03:03 --------- d-----w c:\documents and settings\All Users\Application Data\DriverCure
2009-02-09 02:47 --------- d-----w c:\documents and settings\All Users\Application Data\ParetoLogic
2009-02-09 02:45 --------- d-----w c:\program files\GdTwain ActiveX
2009-02-09 00:04 --------- d-----w c:\documents and settings\dee\Application Data\Jetsetter
2009-01-25 16:56 61,224 ----a-w c:\documents and settings\dee\GoToAssistDownloadHelper.exe
2008-10-17 18:29 1,300,048 ----a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
2008-07-22 18:57 61,224 ----a-w c:\documents and settings\teva\GoToAssistDownloadHelper.exe
2008-07-07 19:35 774,144 ----a-w c:\program files\RngInterstitial.dll
2002-07-01 14:13 224 --sha-w c:\documents and settings\dee\Application Data\maildriver32.dat
2008-10-17 18:31 8 --sh--r c:\windows\system32\614AE4A6D2.sys
2008-11-29 14:34 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112920081130\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-20 39408]
"StartCCC "= "c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"RoboForm "= "c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2009-01-20 160592]
"MsnMsgr "= "c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"AOL Fast Start "= "c:\program files\AOL 9.1\AOL.EXE" [2008-06-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI "= "c:\windows\system32\WLTRAY.exe" [2007-03-16 1392640]
"SigmatelSysTrayApp "= "c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ISUSScheduler "= "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HostManager "= "c:\program files\Common Files\AOL\1213497838\ee\AOLSoftware.exe" [2008-06-24 41824]
"Norton Ghost 14.0 "= "c:\program files\Norton Ghost\Agent\VProTray.exe" [2008-01-19 2245984]
"LogMeIn GUI "= "c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"Lexmark X6100 Series "= "c:\program files\Lexmark X6100 Series\lxbfbmgr.exe" [2003-05-16 57344]
"SynTPEnh "= "c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"dellsupportcenter "= "c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-24 206064]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSPM Startup "= "c:\progra~1\common~1\instal~1\update~1\isuspm.exe" [2004-07-27 221184]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-14 13:40 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 21:35 87352 c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe "=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe "=
"c:\\Program Files\\Common Files\\aol\\1213497838\\ee\\aolsoftware.exe "=
"c:\\Program Files\\AOL 9.1\\waol.exe "=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe "=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe "=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe "=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE "=
"c:\\WINDOWS\\system32\\dpnsvr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\Program Files\\MSN Messenger\\livecall.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\WINDOWS\\system32\\dxdiag.exe "=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP "= 3389:TCPxpsp2res.dll,-22009

R0 atiide;atiide;c:\windows\system32\drivers\atiide.sys [2008-06-14 3456]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-01-23 47640]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
S2 gupdate1c9b2e1ff071fd4;Google Update Service (gupdate1c9b2e1ff071fd4);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 133104]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ATWPKT2
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-04-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-04-09 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-01 11:53]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{399d96ca-6f9a-4fff-95fe-284e45ebb935} - (no file)
Toolbar-{399d96ca-6f9a-4fff-95fe-284e45ebb935} - (no file)
WebBrowser-{399D96CA-6F9A-4FFF-95FE-284E45EBB935} - (no file)
WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)
Notify-avgrsstarter - avgrsstx.dll


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
IE: &Search
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\dee\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\documents and settings\dee\Application Data\Mozilla\Firefox\Profiles\1fpt3l0j.default\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 09:12:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1336601894-725345543-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1452)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\System32\BCMLogon.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\system32\brss01a.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\aol\acs\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Norton Ghost\Agent\VProSvc.exe
c:\windows\system32\PSIService.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\wscntfy.exe
c:\program files\Lexmark X6100 Series\lxbfbmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\AOL 9.1\waol.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\AOL 9.1\shellmon.exe
.
**************************************************************************
.
Completion time: 2009-04-09 9:16:38 - machine was rebooted [dee]
ComboFix-quarantined-files.txt 2009-04-09 13:16:35

Pre-Run: 120,889,339,904 bytes free
Post-Run: 120,839,860,224 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer

312 --- E O F --- 2009-03-15 03:46:43
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:30 AM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe "
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Book of Legends\Images\stg_drm.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Masters of Mystery - Crime of Fashion\Images\armhelper.ocx
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9b2e1ff071fd4) (gupdate1c9b2e1ff071fd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 13243 bytes

 

Welcome back


Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows and browsers except HijackThis and press fix checked.

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,77,65,62,5c,72,65,6c-,61,74,65,64,2e,68,74,6d,00 (file missing)



The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [ISUSScheduler] \ "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
(Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre6\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
~~~~~~~~~~~~~~~~`
Now reboot the computer to set the registry.



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Kaspersky log
New HJT log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.



How's the computer now?

 

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, April 10, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, April 10, 2009 03:31:53
Records in database: 2029840
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Files scanned 163591
Threat name 2
Infected objects 9
Suspicious objects 0
Duration of the scan 02:37:54

File name Threat name Threats count
C:\Documents and Settings\dee\Desktop\worksnow.exe Infected: Trojan.Win32.Agent2.fft 1
C:\_OTMoveIt\MovedFiles\04082009_110823\Documents and Settings\dee\Desktop\Kids_Flash_Games_75in1__AIO__ferrocan.rar Infected: Trojan-Dropper.Win32.VB.lhn 8
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:06 AM, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\AOL 9.1\waol.exe
C:\Program Files\AOL 9.1\shellmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1213497838\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [Norton Ghost 14.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe "
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe "
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe "
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dellsupportcenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P dellsupportcenter
O4 - HKLM\..\Run: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe "
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\AOL 9.1\AOL.EXE" -b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open with WordPerfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Book of Legends\Images\stg_drm.ocx
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Masters of Mystery - Crime of Fashion\Images\armhelper.ocx
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1c9b2e1ff071fd4) (gupdate1c9b2e1ff071fd4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: SupportSoft Sprocket Service (DellSupportCenter) (sprtsvc_DellSupportCenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\StacSV.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 12346 bytes

 

How's the computer now?

 

Seems to be working fine,

 

Good deal


Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below








NEXT**
Next open OTMoveIt, then click on "CleanUp! ".
If you receive a warning from your Firewall please allow...
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present. They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.

Then reboot your computer.





Your good to go, good job!



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Thanks Juliet for all your help.

DEe