Solved Unable to use IE & backdoor.bot won't delete

[Resolved]Unable to use IE & backdoor.bot won't delete

I posted in the other thread but I need to start my own thread about my particular type of problem. I downlaod the DDS app and tried to use it, but it can't locate my notepad which is ON THE DESKTOP!!

My problem is that whenever I open IE it shows a blank page, it won't operate, it won't search and it'll only close with ctrl+alt+del, I thought it had to do with the blankage virus, so I looked online and followed the instructions to remove it from the registry successfully. But even though I've done that, the backdoor.bot virus will not go away, and still rendering my IE unusable. Right now, I am using firefox.

To clean it up:
Disabled system restore
Disk Clean-up
Scanned with Malware
Spybot S&D
AVG

 

Thx Juliet. Here's my dds.txt:

copy
DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 15:12:42.71 on Tue 03/03/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.86 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sprint Instinct Applications\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\New Folder\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://search.bearshare.com/sidebar.html?src=ssb
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {9114A113-790C-8888-6FB7-D9B4CC3CB41F} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunServices: [UpdateWin] c:\windows\system32\activedsx.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [PCTVOICE] pctspk.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe "
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRunServices: [UpdateWin] c:\windows\system32\activedsx.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\epsona~1.lnk - d:\common\epsonreg\Epkick.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Kodak EasyShare software.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\MiniEYE-MiniREAD Launch .lnk.disabled
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1233423749976&h=10203cf41da0e482e3764280d27692bb/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 208.67.220.220,208.67.222.222
TCP: {93AFF8A7-2782-47C8-8EB0-219C14CDC0ED} = 208.67.220.220,208.67.222.222
TCP: {B01A2396-58D0-4382-ABF4-7E8B21CD2807} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\51g7s3oe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npclntax_ZangoSA.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-1 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-1 298264]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\fardrive.sys --> c:\windows\system32\drivers\FarDrive.sys [?]
S3 fvirjzac;fvirjzac;c:\windows\system32\drivers\fvirjzac.sys --> c:\windows\system32\drivers\fvirjzac.sys [?]

=============== Created Last 30 ================

2009-03-03 15:12 50,960 a------- c:\windows\OLD18.tmp
2009-03-02 07:57 69,120 ac------ c:\windows\system32\dllcache\notepad.exe
2009-03-02 07:57 69,120 a------- c:\windows\notepad.exe
2009-03-01 16:39 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-01 15:35 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-01 15:35 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-01 15:35 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-01 15:35 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-01 15:34 <DIR> --d----- c:\program files\AVG
2009-03-01 15:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-01 15:22 <DIR> --d----- c:\docume~1\owner\applic~1\True Sword
2009-03-01 15:20 <DIR> --d----- c:\program files\True Sword 5
2009-02-28 22:37 4,767 a------- c:\windows\Irremote.ini
2009-02-28 22:02 <DIR> --d----- c:\program files\Nero
2009-02-28 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-02-28 18:20 <DIR> --d----- C:\RecoveryCD
2009-02-28 17:14 <DIR> --d----- c:\program files\CCleaner
2009-02-28 13:41 <DIR> -cd-h--- c:\windows\ie8
2009-02-28 12:42 14,336 a------- c:\windows\system32\ff_vfw.dll
2009-02-28 12:42 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 12:42 60,273 a------- c:\windows\system32\pthreadGC2.dll
2009-02-28 12:42 <DIR> --d----- c:\program files\ffdshow
2009-02-28 12:03 <DIR> --d----- c:\program files\Veoh Networks
2009-02-24 21:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-15 22:14 <DIR> --d----- c:\documents and settings\owner\.thumbnails
2009-02-15 22:13 <DIR> --d----- c:\documents and settings\owner\.gimp-2.6
2009-02-15 22:12 <DIR> --d----- c:\documents and settings\owner\.gegl-0.0
2009-02-15 22:10 <DIR> --d----- c:\program files\GIMP-2.0
2009-02-12 23:21 131,072 a------- c:\windows\system32\SAgent4.exe
2009-02-10 21:07 32,768 a------- c:\windows\system32\Wnaspi32.dll
2009-02-10 21:07 57,344 a------- c:\windows\system32\Wnaspint.dll
2009-02-10 21:07 <DIR> --d----- c:\docume~1\owner\applic~1\Acoustica
2009-02-10 21:07 <DIR> --d----- c:\program files\Acoustica MP3 CD Burner
2009-02-10 12:40 <DIR> --d----- c:\docume~1\owner\applic~1\Camfrog
2009-02-06 00:27 <DIR> --d----- c:\program files\Realtek AC97
2009-02-05 23:24 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-02-05 23:12 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-02-05 23:12 <DIR> --d----- c:\windows\Logs
2009-02-03 11:55 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-02-03 11:53 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-02-03 11:53 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-02-03 11:50 0 a------- c:\windows\EEventManager.INI
2009-02-03 11:49 <DIR> --d----- c:\windows\ie8updates
2009-02-03 11:43 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-03 11:20 <DIR> --d----- c:\program files\common files\EPSON
2009-02-03 10:21 <DIR> --d----- c:\program files\Epson Software
2009-02-03 10:20 <DIR> --d----- c:\program files\EpsonNet
2009-02-03 10:19 86,528 a------- c:\windows\system32\E_FLBEKA.DLL
2009-02-03 10:19 78,848 a------- c:\windows\system32\E_FD4BEKA.DLL
2009-02-03 10:18 9,216 a------- c:\windows\system32\escdev.dll
2009-02-03 10:17 79 a------- c:\windows\EPWF600.ini

==================== Find3M ====================

2009-01-31 00:50 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-01-29 12:35 4,706 a------- c:\windows\system32\PerfStringBackup.TMP
2009-01-16 16:24 348,160 a------- c:\windows\system32\msvcr71.dll
2009-01-16 16:24 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-11 14:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 18:39 4,096 a------- c:\windows\d3dx.dat
2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2006-04-02 22:26 9,583,368 a------- c:\documents and settings\owner\DesktopDoctor1.5.1.exe

============= FINISH: 15:14:09.64 ===============

 

Hi and welcome

Download Combofix from any of the links below.

Save it to your desktop.

Link 1
Link 2
Link 3


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

(Click on this link to see a list of programs that should be disabled.)
http://www.bleepingcomputer.com/forums/topic114351.html


Double click on Combo-Fix.exe & follow the prompts.

Please allow ComboFix to install, if needed, Windows Recovery Console. It is a simple procedure that will only take a few moments of your time.

No Validation is Required.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.



** Please Note:
At times ComboFix may appear to stall, please be patient.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Please only run the tool once, ty.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

You may need several replies to post the requested logs, otherwise they might get cut off.

 

Thunder Thunder Thunder Thunder CATS!!!! lolz That's what the combofix tool reminded me of

Here *** iz!!!!!!


ComboFix 09-03-02.03 - Owner 2009-03-03 16:10:53.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.123 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll
c:\recycler\desktop.ini
c:\windows\patch.exe
c:\windows\system32\adsmchkc.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\msodae.dll
c:\windows\system32\Process.exe
c:\windows\system32\pthreadGC2.dll
c:\windows\system32\SrchSTS.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC


((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-02 07:57 . 2008-04-13 16:12 69,120 --a--c--- c:\windows\system32\dllcache\notepad.exe
2009-03-02 07:57 . 2008-04-13 16:12 69,120 --a------ c:\windows\notepad.exe
2009-03-01 16:39 . 2009-03-03 12:32 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 15:35 . 2009-03-03 09:24 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 15:35 . 2009-03-01 15:35 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 15:35 . 2009-03-01 15:35 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 15:35 . 2009-03-01 15:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 15:34 . 2009-03-01 15:34 <DIR> d-------- c:\program files\AVG
2009-03-01 15:34 . 2009-03-01 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 15:22 . 2009-03-01 15:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\True Sword
2009-03-01 15:20 . 2009-03-01 22:40 <DIR> d-------- c:\program files\True Sword 5
2009-03-01 14:03 . 2009-03-01 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 13:25 . 2009-03-01 22:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 11:17 . 2009-03-01 11:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nero
2009-02-28 22:37 . 2009-02-28 22:37 4,767 --a------ c:\windows\Irremote.ini
2009-02-28 22:32 . 2009-02-28 22:32 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-28 22:02 . 2009-02-28 22:35 <DIR> d-------- c:\program files\Nero
2009-02-28 22:01 . 2009-02-28 23:04 <DIR> d-------- c:\program files\Common Files\Nero
2009-02-28 22:01 . 2009-02-28 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-02-28 18:20 . 2009-02-28 18:21 <DIR> d-------- C:\RecoveryCD
2009-02-28 17:48 . 2009-02-28 17:48 0 --a------ c:\windows\nsreg.dat
2009-02-28 17:46 . 2009-02-28 17:46 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-02-28 17:46 . 2009-02-28 17:46 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-02-28 17:14 . 2009-02-28 17:14 <DIR> d-------- c:\program files\RegCure
2009-02-28 17:14 . 2009-02-28 17:14 <DIR> d-------- c:\program files\CCleaner
2009-02-28 13:41 . 2009-02-28 13:42 <DIR> d--h-c--- c:\windows\ie8
2009-02-28 12:42 . 2009-02-28 12:42 <DIR> d-------- c:\program files\ffdshow
2009-02-28 12:42 . 2008-08-22 17:57 14,336 --a------ c:\windows\system32\ff_vfw.dll
2009-02-28 12:42 . 2008-08-10 11:55 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 12:03 . 2009-02-28 12:03 <DIR> d-------- c:\program files\Veoh Networks
2009-02-26 18:51 . 2009-02-26 18:51 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-02-24 21:05 . 2009-01-09 11:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-15 22:14 . 2009-03-03 09:45 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-02-15 22:14 . 2009-02-23 10:31 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-02-15 22:13 . 2009-03-03 09:45 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.6
2009-02-15 22:12 . 2009-02-15 22:13 <DIR> d-------- c:\documents and settings\Owner\.gegl-0.0
2009-02-15 22:10 . 2009-02-15 22:10 <DIR> d-------- c:\program files\GIMP-2.0
2009-02-12 23:21 . 2006-12-19 01:14 131,072 --a------ c:\windows\system32\SAgent4.exe
2009-02-10 21:07 . 2009-02-10 21:07 <DIR> d-------- c:\program files\Acoustica MP3 CD Burner
2009-02-10 21:07 . 2009-02-10 21:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\Acoustica
2009-02-10 21:07 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll
2009-02-10 21:07 . 2007-08-07 10:58 32,768 --a------ c:\windows\system32\Wnaspi32.dll
2009-02-10 12:40 . 2009-02-10 12:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Camfrog
2009-02-06 00:27 . 2009-02-06 00:27 <DIR> d-------- c:\program files\Realtek AC97
2009-02-05 23:24 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-02-05 23:12 . 2009-02-05 23:23 <DIR> d--h----- c:\windows\msdownld.tmp
2009-02-05 23:12 . 2009-02-05 23:12 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-03 11:20 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-01 11:39 --------- d-----w c:\program files\Joost
2009-02-26 23:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 20:37 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 07:25 --------- d-----w c:\documents and settings\Owner\Application Data\Epson
2009-02-06 08:21 --------- d-----w c:\program files\Sprint Instinct Applications
2009-02-06 06:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 06:38 --------- d-----w c:\program files\EpsonNet
2009-02-06 06:31 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-02-03 19:20 --------- d-----w c:\program files\Common Files\EPSON
2009-02-03 18:21 --------- d-----w c:\program files\Epson Software
2009-02-03 18:21 --------- d-----w c:\program files\EPSON
2009-02-02 10:43 --------- d-----w c:\program files\iTunes
2009-02-01 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-01 22:37 --------- d-----w c:\program files\iPod
2009-02-01 22:37 --------- d-----w c:\program files\Common Files\Apple
2009-02-01 22:34 --------- d-----w c:\program files\Bonjour
2009-02-01 22:33 --------- d-----w c:\program files\QuickTime
2009-02-01 22:29 --------- d-----w c:\program files\Apple Software Update
2009-02-01 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-31 08:50 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-01-30 01:37 --------- d-----w c:\program files\Yahoo!
2009-01-30 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-29 20:30 --------- d-----w c:\program files\Reference Assemblies
2009-01-29 20:30 --------- d-----w c:\program files\MSBuild
2009-01-26 22:57 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2009-01-20 03:41 --------- d-----w c:\program files\Valve
2009-01-20 00:02 --------- d-----w c:\program files\McAfee.com
2009-01-20 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-19 23:30 --------- d-----w c:\program files\Watchtower
2009-01-19 23:25 --------- d-----w c:\program files\RealRhapsody
2009-01-18 00:30 --------- d-----w c:\program files\Common Files\Adobe
2009-01-18 00:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-18 00:16 --------- d-----w c:\documents and settings\Owner\Application Data\Download Manager
2009-01-17 00:25 --------- d-----w c:\program files\Common Files\xing shared
2009-01-17 00:25 --------- d-----w c:\program files\Common Files\Real
2009-01-12 03:48 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2009-01-11 22:27 --------- d-----w c:\program files\Java
2009-01-09 19:14 --------- d-----w c:\documents and settings\Owner\Application Data\ArcSoft
2009-01-09 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-01-09 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-01-09 19:12 --------- d-----w c:\program files\Common Files\ArcSoft
2009-01-09 19:12 --------- d-----w c:\program files\ArcSoft
2009-01-09 19:11 --------- d-----w c:\program files\Kodak
2009-01-09 19:09 --------- d-----w c:\program files\Common Files\Kodak
2009-01-09 17:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 02:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 02:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2006-04-03 06:26 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2006-04-20 03:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]
"PCTVOICE "= "pctspk.exe" [2003-04-24 c:\windows\system32\pctspk.exe]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-06-16 1757]
Kodak EasyShare software.lnk.disabled [2009-01-09 1837]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
MiniEYE-MiniREAD Launch .lnk.disabled [2009-01-02 1523]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 11:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 15:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"Antivirus "=c:\program files\Antivirus2008\Antvrs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"NeroCheck "=c:\windows\System32\\NeroCheck.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"KAZAA "=c:\program files\Kazaa\kazaa.exe /SYSTRAY
"ArcSoft Connection Service "=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\condition zero\\hl.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\counter-strike\\hl.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-01 298264]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]
S3 fvirjzac;fvirjzac;c:\windows\system32\drivers\fvirjzac.sys --> c:\windows\system32\drivers\fvirjzac.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-03 c:\windows\Tasks\At1.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At10.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At11.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At12.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At13.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At14.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At15.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At16.job
- c:\windows\system32\W617Acgp.exe []

2009-03-04 c:\windows\Tasks\At17.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At18.job
- c:\windows\system32\W617Acgp.exe []

2009-03-02 c:\windows\Tasks\At19.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At2.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At20.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At21.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At22.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At23.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At24.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At25.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At26.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At27.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At28.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At29.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At3.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At30.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At31.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At32.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At33.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At34.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At35.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At36.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At37.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At38.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At39.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At4.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At40.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-04 c:\windows\Tasks\At41.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At42.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-02 c:\windows\Tasks\At43.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At44.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At45.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At46.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At47.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At48.job
- c:\windows\system32\36C8PCTg.exe []

2009-03-03 c:\windows\Tasks\At5.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At6.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At7.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At8.job
- c:\windows\system32\W617Acgp.exe []

2009-03-03 c:\windows\Tasks\At9.job
- c:\windows\system32\W617Acgp.exe []

2008-03-15 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []

2009-03-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 09:58]

2009-03-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 09:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{574FAE5A-6223-A054-3174-91E7DFC53986} - (no file)
BHO-{72183A59-F2E3-3507-E1B2-E9A5789D07F1} - (no file)
BHO-{A5E51C5B-57CF-A04A-BF60-3E709924E2F8} - (no file)
WebBrowser-{9114A113-790C-8888-6FB7-D9B4CC3CB41F} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
TCP: {93AFF8A7-2782-47C8-8EB0-219C14CDC0ED} = 208.67.220.220,208.67.222.222
TCP: {B01A2396-58D0-4382-ABF4-7E8B21CD2807} = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\51g7s3oe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-03 16:21:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\SAgent4.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Sprint Instinct Applications\MEMonitor.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-03 16:31:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-04 00:31:20

Pre-Run: 8,210,563,072 bytes free
Post-Run: 8,967,634,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

396 --- E O F --- 2009-03-01 11:56:58

 

Welcome back

Be careful with reg cleaners, they can do more harm then good.

P2P software/programs are a major contributor to infections. I see you have KAZAA and LimeWire. Not passing judgment on file-sharing, However will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs can also be found
Here and Here

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system




Go to My Computer->Tools->Folder Options->View tab:

[*]Under the Hidden files and folders heading:

[*]Select - Show hidden files and folders.

[*]Uncheck- Hide protected operating system files (recommended) option.

[*]Also, make sure there is no checkmark beside Hide file extensions for known file types.

[*] Click OK. (Remember to Hide files and folders once done)

Please go to: VirusTotal

• 
  
  
  
  **
  From task manager, you can go to File > New Task (Run) > type explorer, then click OK. **
  
  
• Click the Browse button and search for the following file: c:\windows\system32\drivers\tcpip.sys
• Click Open
• Then click Send File
• Please be patient while the file is scanned.
• Once the scan results appear, please provide them in your next reply.

If it says already scanned -- click "reanalyze now "

Also please have the next files scanned.
c:\windows\system32\dllcache\tcpip.sys
c:\windows\ServicePackFiles\i386\tcpip.sys




Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
c:\windows\system32\drivers\fvirjzac.sys

Folder:: 
c:\program files\Antivirus2008

Driver::
fvirjzac

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
 "Antivirus "=-

AtJob::

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.




Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================


NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419


In your next reply post:
Files requested scanned
ComboFix.txt
Kaspersky log
New DDS log taken after the above scans have run


You may need several replies to post the requested logs, otherwise they might get cut off.


How's your computer now?

 

Files requested scanned, ComboFix.txt, Kaspersky log

Sorry it took so long, the Kscan turned off on me a few times, probably cuz i was doing stuff on the comp. Still got business to do...

--------------------------------------------------------------------------
File tcpip.sys received on 03.05.2009 02:32:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)

--------------------------------------------------------------------------
File tcpip.sys received on 03.05.2009 02:34:02 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)

--------------------------------------------------------------------------
File tcpip.sys received on 03.05.2009 02:35:44 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/39 (0%)

--------------------------------------------------------------------------
ComboFix 09-03-03.01 - Owner 2009-03-04 11:33:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.131 [GMT -8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\drivers\fvirjzac.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FVIRJZAC
-------\Service_fvirjzac


((((((((((((((((((((((((( Files Created from 2009-02-04 to 2009-03-04 )))))))))))))))))))))))))))))))
.

2009-03-02 07:57 . 2008-04-13 16:12 69,120 --a--c--- c:\windows\system32\dllcache\notepad.exe
2009-03-02 07:57 . 2008-04-13 16:12 69,120 --a------ c:\windows\notepad.exe
2009-03-01 16:39 . 2009-03-03 12:32 <DIR> d--h----- C:\$AVG8.VAULT$
2009-03-01 15:35 . 2009-03-04 10:15 <DIR> d-------- c:\windows\system32\drivers\Avg
2009-03-01 15:35 . 2009-03-01 15:35 325,128 --a------ c:\windows\system32\drivers\avgldx86.sys
2009-03-01 15:35 . 2009-03-01 15:35 107,272 --a------ c:\windows\system32\drivers\avgtdix.sys
2009-03-01 15:35 . 2009-03-01 15:35 10,520 --a------ c:\windows\system32\avgrsstx.dll
2009-03-01 15:34 . 2009-03-01 15:34 <DIR> d-------- c:\program files\AVG
2009-03-01 15:34 . 2009-03-01 15:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-01 15:22 . 2009-03-01 15:22 <DIR> d-------- c:\documents and settings\Owner\Application Data\True Sword
2009-03-01 15:20 . 2009-03-01 22:40 <DIR> d-------- c:\program files\True Sword 5
2009-03-01 14:03 . 2009-03-01 14:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-01 13:25 . 2009-03-01 22:41 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-01 11:17 . 2009-03-01 11:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\Nero
2009-02-28 22:37 . 2009-02-28 22:37 4,767 --a------ c:\windows\Irremote.ini
2009-02-28 22:32 . 2009-02-28 22:32 <DIR> d-------- c:\program files\Windows Sidebar
2009-02-28 22:02 . 2009-02-28 22:35 <DIR> d-------- c:\program files\Nero
2009-02-28 22:01 . 2009-02-28 23:04 <DIR> d-------- c:\program files\Common Files\Nero
2009-02-28 22:01 . 2009-02-28 22:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\Nero
2009-02-28 18:20 . 2009-02-28 18:21 <DIR> d-------- C:\RecoveryCD
2009-02-28 17:48 . 2009-02-28 17:48 0 --a------ c:\windows\nsreg.dat
2009-02-28 17:46 . 2009-02-28 17:46 <DIR> d--hs---- c:\documents and settings\Administrator\PrivacIE
2009-02-28 17:46 . 2009-02-28 17:46 <DIR> d--hs---- c:\documents and settings\Administrator\IETldCache
2009-02-28 17:14 . 2009-02-28 17:14 <DIR> d-------- c:\program files\RegCure
2009-02-28 17:14 . 2009-02-28 17:14 <DIR> d-------- c:\program files\CCleaner
2009-02-28 13:41 . 2009-02-28 13:42 <DIR> d--h-c--- c:\windows\ie8
2009-02-28 12:42 . 2009-02-28 12:42 <DIR> d-------- c:\program files\ffdshow
2009-02-28 12:42 . 2008-08-22 17:57 14,336 --a------ c:\windows\system32\ff_vfw.dll
2009-02-28 12:42 . 2008-08-10 11:55 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 12:03 . 2009-02-28 12:03 <DIR> d-------- c:\program files\Veoh Networks
2009-02-26 18:51 . 2009-02-26 18:51 <DIR> d--hs---- c:\documents and settings\NetworkService\IETldCache
2009-02-24 21:05 . 2009-01-09 11:19 1,089,593 -----c--- c:\windows\system32\dllcache\ntprint.cat
2009-02-15 22:14 . 2009-03-03 20:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\gtk-2.0
2009-02-15 22:14 . 2009-02-23 10:31 <DIR> d-------- c:\documents and settings\Owner\.thumbnails
2009-02-15 22:13 . 2009-03-04 09:44 <DIR> d-------- c:\documents and settings\Owner\.gimp-2.6
2009-02-15 22:12 . 2009-02-15 22:13 <DIR> d-------- c:\documents and settings\Owner\.gegl-0.0
2009-02-15 22:10 . 2009-02-15 22:10 <DIR> d-------- c:\program files\GIMP-2.0
2009-02-12 23:21 . 2006-12-19 01:14 131,072 --a------ c:\windows\system32\SAgent4.exe
2009-02-10 21:07 . 2009-02-10 21:07 <DIR> d-------- c:\program files\Acoustica MP3 CD Burner
2009-02-10 21:07 . 2009-02-10 21:07 <DIR> d-------- c:\documents and settings\Owner\Application Data\Acoustica
2009-02-10 21:07 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll
2009-02-10 21:07 . 2007-08-07 10:58 32,768 --a------ c:\windows\system32\Wnaspi32.dll
2009-02-10 12:40 . 2009-02-10 12:40 <DIR> d-------- c:\documents and settings\Owner\Application Data\Camfrog
2009-02-06 00:27 . 2009-02-06 00:27 <DIR> d-------- c:\program files\Realtek AC97
2009-02-05 23:24 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll
2009-02-05 23:12 . 2009-02-05 23:23 <DIR> d--h----- c:\windows\msdownld.tmp
2009-02-05 23:12 . 2009-02-05 23:12 <DIR> d-------- c:\windows\Logs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-04 07:53 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-04 06:51 --------- d-----w c:\program files\Google
2009-03-01 11:39 --------- d-----w c:\program files\Joost
2009-02-26 23:24 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-26 23:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-26 20:37 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 07:25 --------- d-----w c:\documents and settings\Owner\Application Data\Epson
2009-02-06 08:21 --------- d-----w c:\program files\Sprint Instinct Applications
2009-02-06 06:38 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-06 06:38 --------- d-----w c:\program files\EpsonNet
2009-02-06 06:31 --------- d-----w c:\documents and settings\All Users\Application Data\EPSON
2009-02-03 19:20 --------- d-----w c:\program files\Common Files\EPSON
2009-02-03 18:21 --------- d-----w c:\program files\Epson Software
2009-02-03 18:21 --------- d-----w c:\program files\EPSON
2009-02-02 10:43 --------- d-----w c:\program files\iTunes
2009-02-01 22:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-01 22:37 --------- d-----w c:\program files\iPod
2009-02-01 22:37 --------- d-----w c:\program files\Common Files\Apple
2009-02-01 22:34 --------- d-----w c:\program files\Bonjour
2009-02-01 22:33 --------- d-----w c:\program files\QuickTime
2009-02-01 22:29 --------- d-----w c:\program files\Apple Software Update
2009-02-01 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-01-31 08:50 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-01-30 01:37 --------- d-----w c:\program files\Yahoo!
2009-01-30 01:37 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2009-01-29 20:35 4,706 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-01-29 20:30 --------- d-----w c:\program files\Reference Assemblies
2009-01-29 20:30 --------- d-----w c:\program files\MSBuild
2009-01-26 22:57 --------- d-----w c:\program files\ABBYY FineReader 6.0 Sprint
2009-01-20 03:41 --------- d-----w c:\program files\Valve
2009-01-20 00:02 --------- d-----w c:\program files\McAfee.com
2009-01-20 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-19 23:30 --------- d-----w c:\program files\Watchtower
2009-01-19 23:25 --------- d-----w c:\program files\RealRhapsody
2009-01-18 00:30 --------- d-----w c:\program files\Common Files\Adobe
2009-01-18 00:17 --------- d-----w c:\program files\Common Files\Macrovision Shared
2009-01-18 00:16 --------- d-----w c:\documents and settings\Owner\Application Data\Download Manager
2009-01-17 00:25 --------- d-----w c:\program files\Common Files\xing shared
2009-01-17 00:25 --------- d-----w c:\program files\Common Files\Real
2009-01-17 00:24 499,712 ----a-w c:\windows\system32\msvcp71.dll
2009-01-17 00:24 348,160 ----a-w c:\windows\system32\msvcr71.dll
2009-01-15 10:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 10:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 10:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 10:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 10:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 10:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 10:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 10:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 10:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 09:50 156,160 ----a-w c:\windows\system32\msls31.dll
2009-01-12 03:48 --------- d-----w c:\documents and settings\Owner\Application Data\GarageGames
2009-01-11 22:27 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-11 22:27 --------- d-----w c:\program files\Java
2009-01-09 19:14 --------- d-----w c:\documents and settings\Owner\Application Data\ArcSoft
2009-01-09 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Kodak
2009-01-09 19:13 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-01-09 19:12 --------- d-----w c:\program files\Common Files\ArcSoft
2009-01-09 19:12 --------- d-----w c:\program files\ArcSoft
2009-01-09 19:11 --------- d-----w c:\program files\Kodak
2009-01-09 19:09 --------- d-----w c:\program files\Common Files\Kodak
2009-01-09 17:55 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-05 02:38 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-05 02:38 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2006-04-03 06:26 9,583,368 ----a-w c:\documents and settings\Owner\DesktopDoctor1.5.1.exe
.

------- Sigcheck -------

2005-05-25 11:07 359936 63fdfea54eb53de2d863ee454937ce1e c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 09:07 360448 5562cc0a47b2aef06d3417b733f3c195 c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 04:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2008-06-20 02:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 02:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 04:00 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB917953$\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2006-04-20 03:51 359808 1dbf125862891817f374f407626967f4 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 11:20 361344 accf5a9a1ffaa490f33dba1c632b95e1 c:\windows\ServicePackFiles\i386\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\dllcache\tcpip.sys
2008-06-20 03:51 361600 9425b72f40257b45d45d24773273dad0 c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-03-03_16.29.39.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-04 06:51:42 10,134 ----a-r c:\windows\Installer\{F43C7DE1-CB20-11DD-8D77-005056806466}\ARPPRODUCTICON.exe
+ 2009-03-04 06:51:42 26,694 ----a-r c:\windows\Installer\{F43C7DE1-CB20-11DD-8D77-005056806466}\UNINST_Uninstall_G_BCEEAF790189405A8B93BFE1E41FCD64.exe
+ 2009-03-04 19:40:48 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_530.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"Adobe Photo Downloader "= "c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"EEventManager "= "c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"AVG8_TRAY "= "c:\progra~1\AVG\AVG8\avgtray.exe" [2009-03-01 1601304]
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [2007-11-29 c:\windows\KHALMNPR.Exe]
"PCTVOICE "= "pctspk.exe" [2003-04-24 c:\windows\system32\pctspk.exe]
"SoundMan "= "SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk.disabled [2006-06-16 1757]
Kodak EasyShare software.lnk.disabled [2009-01-09 1837]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
MiniEYE-MiniREAD Launch .lnk.disabled [2009-01-02 1523]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-01-09 11:30 72208 c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-03-01 15:35 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Messenger (Yahoo!) "= "c:\program files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task "= "c:\program files\QuickTime\qttask.exe" -atboottime
"NeroCheck "=c:\windows\System32\\NeroCheck.exe
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe "
"KAZAA "=c:\program files\Kazaa\kazaa.exe /SYSTRAY
"ArcSoft Connection Service "=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
"TkBellExe "= "c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"UpdatesDisableNotify "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\condition zero\\hl.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe "=
"c:\\Program Files\\LimeWire\\LimeWire.exe "=
"c:\\Program Files\\EpsonNet\\EpsonNet Config V3\\ENConfig.exe "=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\akirayabuki\\counter-strike\\hl.exe "=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe "=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe "=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-01 325128]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-01 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-03-01 298264]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S2 gupdate1c99c9589fb5a82;Google Update Service (gupdate1c99c9589fb5a82);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 133104]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\Drivers\FarDrive.sys --> c:\windows\system32\Drivers\FarDrive.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-03 22:52]

2009-03-04 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-03 22:50]

2008-03-15 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe []

2009-03-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 09:58]

2009-03-01 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 09:58]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
TCP: {93AFF8A7-2782-47C8-8EB0-219C14CDC0ED} = 208.67.220.220,208.67.222.222
TCP: {B01A2396-58D0-4382-ABF4-7E8B21CD2807} = 208.67.220.220,208.67.222.222
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\51g7s3oe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Google\Google Earth Plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nphssb.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-04 11:41:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-73586283-1229272821-839522115-1003\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (S-1-5-21-73586283-1229272821-839522115-1003)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\SAgent4.exe
c:\windows\system32\wscntfy.exe
c:\program files\Sprint Instinct Applications\MEMonitor.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-04 11:49:50 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2009-03-04 19:49:46
ComboFix2.txt 2009-03-04 00:31:29

Pre-Run: 8,881,971,200 bytes free
Post-Run: 8,862,683,136 bytes free

353 --- E O F --- 2009-03-01 11:56:58

--------------------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, March 04, 2009 14:59:58
Records in database: 1868423
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 115510
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 02:52:22


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\plugins\npclntax_ZangoSA.dll.vir Infected: not-a-virus:WebToolbar.Win32.Zango.aw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\adsmchkc.dll.vir Infected: Trojan.Win32.Agent.uke 1
C:\System Volume Information\_restore{253DC5D2-CB3E-4C88-AA24-D4CD688B6F95}\RP2\A0000155.dll Infected: not-a-virus:WebToolbar.Win32.Zango.aw 1
C:\System Volume Information\_restore{253DC5D2-CB3E-4C88-AA24-D4CD688B6F95}\RP2\A0000157.dll Infected: Trojan.Win32.Agent.uke 1

The selected area was scanned.

 

DDS.txt

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 17:42:17.95 on Wed 03/04/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.261 [GMT -8:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\SAgent4.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe "
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [PCTVOICE] pctspk.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe "
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\epsona~1.lnk - d:\common\epsonreg\Epkick.exe
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\sprint~1.lnk - c:\windows\RM.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Adobe Reader Speed Launch.lnk.disabled
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Kodak EasyShare software.lnk.disabled
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\MiniEYE-MiniREAD Launch .lnk.disabled
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1233423749976&h=10203cf41da0e482e3764280d27692bb/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: {93AFF8A7-2782-47C8-8EB0-219C14CDC0ED} = 208.67.220.220,208.67.222.222
TCP: {B01A2396-58D0-4382-ABF4-7E8B21CD2807} = 208.67.220.220,208.67.222.222
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\51g7s3oe.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\nphssb.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-1 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-1 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-1 107272]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-1 298264]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-12-5 935208]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S2 gupdate1c99c9589fb5a82;Google Update Service (gupdate1c99c9589fb5a82);c:\program files\google\update\GoogleUpdate.exe [2009-3-3 133104]
S3 FarStoneFireWallDrive;FarStoneFireWallDrive;c:\windows\system32\drivers\fardrive.sys --> c:\windows\system32\drivers\FarDrive.sys [?]

=============== Created Last 30 ================

2009-03-03 16:05 <DIR> a-dshr-- C:\cmdcons
2009-03-03 16:03 161,792 a------- c:\windows\SWREG.exe
2009-03-03 16:03 98,816 a------- c:\windows\sed.exe
2009-03-02 07:57 69,120 ac------ c:\windows\system32\dllcache\notepad.exe
2009-03-02 07:57 69,120 a------- c:\windows\notepad.exe
2009-03-01 16:39 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-01 15:35 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-01 15:35 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-01 15:35 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-01 15:35 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-01 15:34 <DIR> --d----- c:\program files\AVG
2009-03-01 15:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-01 15:22 <DIR> --d----- c:\docume~1\owner\applic~1\True Sword
2009-03-01 15:20 <DIR> --d----- c:\program files\True Sword 5
2009-02-28 22:37 4,767 a------- c:\windows\Irremote.ini
2009-02-28 22:02 <DIR> --d----- c:\program files\Nero
2009-02-28 22:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Nero
2009-02-28 18:20 <DIR> --d----- C:\RecoveryCD
2009-02-28 17:14 <DIR> --d----- c:\program files\CCleaner
2009-02-28 13:41 <DIR> -cd-h--- c:\windows\ie8
2009-02-28 12:42 14,336 a------- c:\windows\system32\ff_vfw.dll
2009-02-28 12:42 547 a------- c:\windows\system32\ff_vfw.dll.manifest
2009-02-28 12:42 <DIR> --d----- c:\program files\ffdshow
2009-02-28 12:03 <DIR> --d----- c:\program files\Veoh Networks
2009-02-24 21:05 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-02-15 22:14 <DIR> --d----- c:\documents and settings\owner\.thumbnails
2009-02-15 22:13 <DIR> --d----- c:\documents and settings\owner\.gimp-2.6
2009-02-15 22:12 <DIR> --d----- c:\documents and settings\owner\.gegl-0.0
2009-02-15 22:10 <DIR> --d----- c:\program files\GIMP-2.0
2009-02-12 23:21 131,072 a------- c:\windows\system32\SAgent4.exe
2009-02-10 21:07 32,768 a------- c:\windows\system32\Wnaspi32.dll
2009-02-10 21:07 57,344 a------- c:\windows\system32\Wnaspint.dll
2009-02-10 21:07 <DIR> --d----- c:\docume~1\owner\applic~1\Acoustica
2009-02-10 21:07 <DIR> --d----- c:\program files\Acoustica MP3 CD Burner
2009-02-10 12:40 <DIR> --d----- c:\docume~1\owner\applic~1\Camfrog
2009-02-06 00:27 <DIR> --d----- c:\program files\Realtek AC97
2009-02-05 23:24 1,123,696 a------- c:\windows\system32\D3DCompiler_33.dll
2009-02-05 23:12 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-02-05 23:12 <DIR> --d----- c:\windows\Logs
2009-02-03 11:55 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache
2009-02-03 11:53 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2009-02-03 11:53 <DIR> --dsh--- c:\documents and settings\owner\IETldCache
2009-02-03 11:50 0 a------- c:\windows\EEventManager.INI
2009-02-03 11:49 <DIR> --d----- c:\windows\ie8updates
2009-02-03 11:43 79,360 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-02-03 11:20 <DIR> --d----- c:\program files\common files\EPSON
2009-02-03 10:21 <DIR> --d----- c:\program files\Epson Software
2009-02-03 10:20 <DIR> --d----- c:\program files\EpsonNet
2009-02-03 10:19 86,528 a------- c:\windows\system32\E_FLBEKA.DLL
2009-02-03 10:19 78,848 a------- c:\windows\system32\E_FD4BEKA.DLL
2009-02-03 10:18 9,216 a------- c:\windows\system32\escdev.dll
2009-02-03 10:17 79 a------- c:\windows\EPWF600.ini

==================== Find3M ====================

2009-01-31 00:50 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-01-29 12:35 4,706 a------- c:\windows\system32\PerfStringBackup.TMP
2009-01-16 16:24 348,160 a------- c:\windows\system32\msvcr71.dll
2009-01-16 16:24 499,712 a------- c:\windows\system32\msvcp71.dll
2009-01-15 02:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 02:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 02:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 02:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 02:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 02:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 02:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 02:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 02:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 01:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-11 14:27 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-09 18:39 4,096 a------- c:\windows\d3dx.dat
2009-01-04 18:38 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 18:38 15,504 a------- c:\windows\system32\drivers\mbam.sys
2006-04-02 22:26 9,583,368 a------- c:\documents and settings\owner\DesktopDoctor1.5.1.exe

============= FINISH: 17:43:06.06 ===============

 

nope. I still cannot use IE. When I open it, it's a blank screen and it wont goto any page. I can't click on the X to close it, only with ctrl+alt+del. I can't goto any page whatsoever or even go into menu using the IE browser.

 

What Kaspersky found will be removed when we uninstall Combofix.

Next, launch Notepad, (Start > Run, type in: notepad) copy and paste the text in blue below in itdon't forget to copy and paste REGEDIT4)
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"KAZAA "=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards.


Check your firewall settings that IE has not been blocked.
If no success there you may have to uninstall IE then reinstall.



Download GMER Rootkit Scanner from here.

• Extract the contents of the zipped file to desktop.
• Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in ark.txt

Save it where you can easily find it, such as your desktop then post the contents here.

**Caution**
Rootkit scans often produce false positives. Do NOT take action on any <---- ROOKIT entries

 

Also

Please download [color= "#FF0000"] GooredFix[/color] from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

 

ARK.txt, GooredLog.txt

WOW! You've got EXTENSIVE skill there Juliet! How long you been doing this? lolz It feels so good to finally get some help about this, seriously though. thanks so much!

--------------------------------------------------------------------------
GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-03-05 09:30:06
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.14 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x995c69a size 0x1c1
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Ip ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp ntoskrnl.exe (NT Kernel & System/Microsoft Corporation)

---- Threads - GMER 1.0.14 ----

Thread 4:1748 8264E190
Thread 4:1872 8263C1B0
Thread 4:1792 826816A0
Thread 4:1700 8261F540
Thread 4:3488 8264E190
Thread 4:632 8263C1B0
Thread 4:396 826816A0
Thread 4:360 8261F540

---- EOF - GMER 1.0.14 ----

--------------------------------------------------------------------------
GooredFix v1.91 by jpshortstuff
Log created at 09:30 on 05/03/2009 running Option #1 (Owner)
Firefox version 3.0.7 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Plugins "= "C:\Program Files\Mozilla Firefox\plugins "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.7\extensions]
"Components "= "C:\Program Files\Mozilla Firefox\components "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71} "= "C:\Program Files\AVG\AVG8\Firefox "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b} "= "C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com "= "C:\Program Files\Java\jre6\lib\deploy\jqs\ff "

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3112ca9c-de6d-4884-a869-9855de68056c} "= "C:\Documents and Settings\All Users\Application Data\Mozilla\Firefox Extensions\{3112ca9c-de6d-4884-a869-9855de68056c} "

 

Welcome back

I've been working logs a couple of years and still don't know enough.


Download Gmer's mbr.exe to your desktop
click the downloaded file to run the scan (a window will open briefly, then close). The scan will create a mbr.log on your desktop - please copy/paste those contents in your next reply.

 

mbr.log

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
MBR rootkit code detected !
malicious code @ sector 0x995c69a size 0x1c1 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

Ok, what I want you to do is make sure mbr.exe is in C drive

If not, move mbr.exe directly to the C:\ drive.

Click Start>My Computer and double click on C:\

Once it's opened simply drag and drop mbr.exe into and empty spot in that window.


After it's been moved to the C:\drive....


Click Start>Run and copy/past the following into the Run box and click OK:

mbr.exe -f

It will produce a report at C:\mbr.log. Please post the contents of that new log.

 

ok. it says unable to find. I also tried moving it to C:\windows\ but to no avail. What should I do next?

 

Delete what you have, we'll start over

Download Gmer's mbr.exe to your C:\ directory

Click Start>Run and copy/past the following into the Run box and click OK:

mbr.exe -f

It will produce a report at C:\mbr.log. Please post the contents of that new log.

 

nope. still no luck. I changed downloading location in tools menu of Firefox.

 

Try this, see if you can move it back to dektop.
If not, delete and download again to desktop.

Click Start >> Run and copy/paste the following into the run box.

%userprofile%\Desktop\mbr.exe -f

Please post the log it produces



After the fix runs reboot the computer.

 

hun.. Juliet. Nothing is working... I erased it then put it back on the desktop. What do you think is up?

 

It says:
"Windows cannot find 'C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.