''File cannot be executed. The file ______ is infected.'' Problem

[arkainus]

Hello,

I have been getting this error since yesterday, and I'm a bit confused on what to do. I am unable to open anything, because every time I try to do so, a pop up appears saying ''File cannot be executed. The file ______ is infected.'' I also get a lot of false antivirus alerts.

Any advice to completely recover my computer would be greatly appreciated.

[Dr Jay]

Hello! We need to do some diagnostics to get started.

1. Please download Profiles by noahdfear.

• Save it to your desktop.
• Double-click profiles.exe and post its log when you reply

2. Download Win32kDiag by ad13 and save it to your Desktop.

• Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  
• When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  
• Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

3. Please download <a href="http://www.helpmyos.com/Cheetah-php-h15.htm?cheetah.zip" target="_blank">Cheetah-Anti-Rogue[/url][/b] by me, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
• Double-click on Cheetah-Anti-Rogue.cmd to start.
• It will finish quickly and launch a log.
• Post the contents of it in your next reply.

4. In your next reply, please post the following logs for my review:

• Profiles log (1)
• Win32kDiag log (2)
• Cheetah log (3)

Thanks! :)

[arkainus]

I downloaded all three of the files, but I could not open any because the pop up saying ''File cannot be executed. The file ______ is infected.'' appeared and closed the program. Is the anything else I can do?

[Dr Jay]

RKill by Grinler
Link #1
Link #2
Link #3

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
• If the tool does not run from any of the links tell me about it.

This only kills the active infection, the actual infection will not be gone.

Then, please try to run the tools again.

[arkainus]

Log 1


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-18
    ProfileImagePath    REG_EXPAND_SZ    %systemroot%\system32\config\systemprofile

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19
    ProfileImagePath    REG_EXPAND_SZ    %SystemRoot%\ServiceProfiles\LocalService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-20
    ProfileImagePath    REG_EXPAND_SZ    %SystemRoot%\ServiceProfiles\NetworkService

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3988202556-4294345629-2372359041-1003
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\Sean

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3988202556-4294345629-2372359041-1004
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\Kimmy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3988202556-4294345629-2372359041-1005
    ProfileImagePath    REG_EXPAND_SZ    C:\Users\Mommy and Daddy

    ProfileImagePath    REG_EXPAND_SZ    %SystemRoot%\ServiceProfiles\LocalService
    ProfileImagePath    REG_EXPAND_SZ    %SystemRoot%\ServiceProfiles\NetworkService
    SystemRoot    REG_SZ    C:\Windows


Log 3


Cheetah-Anti-Rogue v1.4.1
by DragonMaster Jay

Microsoft Windows [Version 6.0.6000]
Date: 21/04/2010 - Time: 18:05:18 - Arch.: x86
 
 
-- Malware removal tools check --
User has Sandboxie installed!
Sandboxie
Malwarebytes' Anti-Malware
SUPERAntiSpyware
 
 
-- Known infection --
 
C:\Program Files\FunWebProducts (Adw.MyWebSearch)
C:\Program Files\MyWebSearch (Adw.MyWebSearch)
C:\Windows\system32\f3PSSavr.scr (Adw.MyWebSearch!3M)
C:\Program Files\Windows Live\Messenger\riched20.dll (Adw.MyWebSearch)
 
 
Extra message: Detection only.
 
 
EOF


The 2nd program stopped because it said that it cannot access C:\Windows\Syetem32\LogFiles\WMI\RtBackup\EtwRTDiaLog.et1

I am very thankful for your help, please advise me on what to do next.

[Dr Jay]

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[arkainus]

Here is the log

ComboFix 10-04-21.01 - Sean 22/04/2010   1:41.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6000.0.1252.2.1033.18.1917.1152 [GMT -4:00]
Running from: c:\users\Sean\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100421-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: avast! antivirus 4.8.1368 [VPS 100421-1] *disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1731352543-3892579127-1766459742-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\program files\Cheat Engine\dbk32.sys
c:\program files\mjc
c:\program files\racle~1
c:\program files\Sakora
c:\users\Kimmy\AppData\Local\Microsoft\Windows\Temporary Internet Files\CPV.stt
c:\users\Mommy and Daddy\AppData\Local\Microsoft\Windows\Temporary Internet Files\CPV.stt
c:\windows\curity~1
c:\windows\UA000106.DLL

.
(((((((((((((((((((((((((   Files Created from 2010-03-22 to 2010-04-22  )))))))))))))))))))))))))))))))
.

2010-04-22 05:55 . 2010-04-22 05:57   --------   d-----w-   c:\users\Sean\AppData\Local\temp
2010-04-22 05:55 . 2010-04-22 05:55   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-22 05:55 . 2010-04-22 05:55   --------   d-----w-   c:\users\Mommy and Daddy\AppData\Local\temp
2010-04-22 05:55 . 2010-04-22 05:55   --------   d-----w-   c:\users\Kimmy\AppData\Local\temp
2010-04-21 23:06 . 2010-04-21 23:06   --------   d-----w-   c:\program files\Microsoft ATS
2010-04-21 12:13 . 2010-02-20 23:54   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2010-04-21 12:13 . 2010-02-20 23:51   31232   ----a-w-   c:\windows\system32\httpapi.dll
2010-04-21 12:13 . 2010-02-20 21:30   396800   ----a-w-   c:\windows\system32\drivers\http.sys
2010-04-21 04:00 . 2009-10-19 14:42   156672   ----a-w-   c:\windows\system32\t2embed.dll
2010-04-21 04:00 . 2009-10-19 14:39   24064   ----a-w-   c:\windows\system32\lpk.dll
2010-04-21 04:00 . 2009-10-19 14:37   72704   ----a-w-   c:\windows\system32\fontsub.dll
2010-04-21 04:00 . 2009-10-19 14:37   10240   ----a-w-   c:\windows\system32\dciman32.dll
2010-04-21 04:00 . 2009-10-19 14:36   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-04-21 04:00 . 2009-10-19 11:45   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-21 04:00 . 2009-12-11 12:15   306688   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-04-21 04:00 . 2009-12-11 12:15   84992   ----a-w-   c:\windows\system32\drivers\srvnet.sys
2010-04-21 03:58 . 2009-08-10 13:05   2048   ----a-w-   c:\windows\system32\msxml6r.dll
2010-04-21 03:57 . 2009-08-31 15:16   428032   ----a-w-   c:\windows\system32\EncDec.dll
2010-04-21 03:57 . 2009-08-31 15:21   292352   ----a-w-   c:\windows\system32\psisdecd.dll
2010-04-21 03:57 . 2009-08-31 15:17   1244672   ----a-w-   c:\windows\system32\mcmde.dll
2010-04-21 03:57 . 2010-01-23 08:05   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-04-21 03:55 . 2010-02-18 14:22   167424   ----a-w-   c:\windows\system32\tcpipcfg.dll
2010-04-21 03:55 . 2010-02-18 14:19   179712   ----a-w-   c:\windows\system32\iphlpsvc.dll
2010-04-21 03:55 . 2010-02-18 12:05   815104   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-04-21 03:55 . 2010-02-18 12:04   25088   ----a-w-   c:\windows\system32\drivers\tunnel.sys
2010-04-21 03:55 . 2009-08-14 17:16   213592   ----a-w-   c:\windows\system32\drivers\netio.sys
2010-04-21 03:55 . 2010-02-18 12:04   22016   ----a-w-   c:\windows\system32\netiougc.exe
2010-04-21 03:55 . 2010-02-18 12:04   15360   ----a-w-   c:\windows\system32\drivers\TUNMP.SYS
2010-04-21 03:55 . 2009-08-14 14:01   2031104   ----a-w-   c:\windows\system32\win32k.sys
2010-04-21 03:53 . 2009-12-28 12:36   11776   ----a-w-   c:\windows\system32\tsbyuv.dll
2010-04-21 03:53 . 2009-12-28 12:34   22528   ----a-w-   c:\windows\system32\msyuv.dll
2010-04-21 03:53 . 2009-12-28 12:34   13312   ----a-w-   c:\windows\system32\msrle32.dll
2010-04-21 03:53 . 2009-12-28 12:32   50176   ----a-w-   c:\windows\system32\iyuv_32.dll
2010-04-21 03:53 . 2009-12-28 12:34   123904   ----a-w-   c:\windows\system32\msvfw32.dll
2010-04-21 03:53 . 2009-12-28 12:33   82944   ----a-w-   c:\windows\system32\mciavi32.dll
2010-04-21 03:53 . 2009-12-28 12:30   88576   ----a-w-   c:\windows\system32\avifil32.dll
2010-04-21 03:53 . 2009-12-28 12:30   65024   ----a-w-   c:\windows\system32\avicap32.dll
2010-04-21 03:53 . 2009-04-02 11:50   604672   ----a-w-   c:\windows\system32\WMSPDMOD.DLL
2010-04-21 03:43 . 2009-09-10 15:29   311296   ----a-w-   c:\windows\system32\unregmp2.exe
2010-04-21 03:43 . 2009-09-10 17:40   4096   ----a-w-   c:\windows\system32\dxmasf.dll
2010-04-21 03:43 . 2009-09-10 17:39   7680   ----a-w-   c:\windows\system32\spwmp.dll
2010-04-21 03:43 . 2009-09-10 15:29   8147968   ----a-w-   c:\windows\system32\wmploc.DLL
2010-04-21 03:41 . 2009-12-23 12:45   171520   ----a-w-   c:\windows\system32\wintrust.dll
2010-04-21 03:41 . 2010-01-13 18:23   97792   ----a-w-   c:\windows\system32\cabview.dll
2010-04-20 05:10 . 2010-04-20 05:10   52224   ----a-w-   c:\users\Sean\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-20 05:10 . 2010-04-20 05:10   117760   ----a-w-   c:\users\Sean\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 05:09 . 2010-04-20 05:09   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2010-04-20 05:08 . 2010-04-20 05:08   5120   ----a-r-   c:\users\Sean\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-04-20 05:08 . 2010-04-20 05:08   65024   ----a-r-   c:\users\Sean\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-04-20 05:08 . 2010-04-20 05:08   18944   ----a-r-   c:\users\Sean\AppData\Roaming\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-04-20 05:07 . 2010-04-20 05:07   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-20 05:07 . 2010-04-20 05:07   --------   d-----w-   c:\users\Sean\AppData\Roaming\SUPERAntiSpyware.com
2010-04-20 04:55 . 2010-03-29 19:24   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-20 04:55 . 2010-04-20 04:55   --------   d-----w-   c:\programdata\Malwarebytes
2010-04-20 04:55 . 2010-04-20 04:55   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-20 04:55 . 2010-03-29 19:24   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-04-20 04:24 . 2010-04-20 04:24   60672   ----a-w-   c:\users\Sean\AppData\Local\syssvc.exe
2010-04-20 04:22 . 2010-04-20 22:35   --------   d-----w-   c:\users\Sean\AppData\Local\wxkagtccy
2010-04-18 22:57 . 2010-04-18 22:57   --------   d-----w-   c:\program files\FreeMind
2010-04-17 15:11 . 2010-04-17 15:11   --------   d-----w-   c:\users\Sean\AppData\Roaming\XemiComputers
2010-04-17 15:11 . 2010-04-17 15:11   --------   d-----w-   c:\program files\XemiComputers
2010-04-04 21:34 . 2010-04-04 21:34   36400   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\ALWIL.dll
2010-04-04 21:34 . 2010-04-04 21:34   33328   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\Microsoft Corporation.dll
2010-04-04 21:34 . 2010-04-04 21:34   32304   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\MicrosoftAV.dll
2010-04-04 21:34 . 2010-04-04 21:34   174592   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\64bitProxy.exe
2010-04-04 21:34 . 2010-04-04 21:34   150064   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\FWManager.dll
2010-04-04 21:34 . 2010-04-04 21:34   24112   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\AVManager.dll
2010-04-04 21:34 . 2010-04-04 21:34   151088   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\OPSWATAVCommon.dll
2010-04-04 21:34 . 2010-04-04 21:34   19120   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\libinspector.dll
2010-04-04 21:33 . 2010-04-04 21:33   14512   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\libdesktop.dll
2010-04-04 21:33 . 2010-04-04 21:33   47280   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco HostScan\bin\hostscan.exe
2010-04-04 21:33 . 2010-04-04 21:33   29872   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco\Cisco Secure Desktop\Cache\Temp8-P00h\CSDWebLaunch.exe
2010-04-04 21:33 . 2010-04-04 21:33   --------   d-----w-   c:\users\Mommy and Daddy\AppData\Roaming\Cisco
2010-04-04 03:10 . 2010-04-04 03:10   509552   ----a-w-   c:\programdata\Google\Google Toolbar\Update\gtb563C.tmp.exe
2010-04-02 05:28 . 2010-04-02 05:28   --------   d-----w-   c:\users\Sean\AppData\Roaming\MPEG Streamclip
2010-03-31 06:00 . 2010-03-31 06:00   86016   ----a-w-   c:\windows\system32\frapsvid.dll
2010-03-25 03:16 . 2010-03-25 03:16   48788   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\uninstallOctazen.exe
2010-03-25 02:34 . 2010-03-25 02:34   --------   d-----w-   c:\users\Mommy and Daddy\AppData\Local\Smilebox
2010-03-25 02:34 . 2010-03-25 03:16   --------   d-----w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox
2010-03-25 02:34 . 2010-03-25 02:34   59313   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 05:58 . 2009-11-16 03:55   --------   d-----w-   c:\program files\Common Files\Akamai
2010-04-22 05:54 . 2009-12-17 22:04   --------   d-----w-   c:\program files\Cheat Engine
2010-04-22 04:55 . 2009-04-29 02:29   --------   d-----w-   c:\programdata\Google Updater
2010-04-22 03:48 . 2008-12-06 22:13   --------   d-----w-   c:\users\Sean\AppData\Roaming\gtk-2.0
2010-04-21 22:58 . 2008-03-21 21:56   --------   d-----w-   c:\program files\OGPlanet
2010-04-21 21:50 . 2008-03-22 09:21   114936   ----a-w-   c:\users\Sean\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-21 21:44 . 2009-11-15 22:43   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-04-21 13:00 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-04-21 12:58 . 2007-09-02 11:39   --------   d-----w-   c:\programdata\Microsoft Help
2010-04-21 12:29 . 2007-09-02 11:41   --------   d-----w-   c:\program files\Microsoft Works
2010-04-21 12:18 . 2007-09-02 11:46   --------   d-----w-   c:\program files\Microsoft SQL Server
2010-04-20 05:06 . 2008-11-28 02:17   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-04-18 21:28 . 2008-04-12 21:33   --------   d-----w-   c:\users\Sean\AppData\Roaming\LimeWire
2010-04-17 15:07 . 2008-04-28 00:13   --------   d-----w-   c:\program files\Google
2010-04-16 21:54 . 2009-09-20 23:51   --------   d-----w-   c:\users\Sean\AppData\Roaming\IObit
2010-04-09 22:57 . 2008-10-04 15:51   --------   d-----w-   c:\users\Kimmy\AppData\Roaming\LimeWire
2010-04-05 18:10 . 2009-08-22 23:43   --------   d-----w-   c:\program files\Counter-Strike Source
2010-04-05 15:14 . 2009-09-06 20:29   --------   d-----w-   c:\program files\IObit
2010-04-02 18:35 . 2008-10-01 01:53   --------   d-----w-   c:\users\Sean\AppData\Roaming\Publish Providers
2010-03-09 19:15 . 2010-02-17 21:05   287368   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxTray.exe
2010-03-09 16:50 . 2010-04-21 03:55   52736   ----a-w-   c:\windows\AppPatch\iebrshim.dll
2010-02-24 14:16 . 2009-10-03 06:29   181632   ------w-   c:\windows\system32\MpSigStub.exe
2010-02-24 06:48 . 2008-06-13 01:10   --------   d-----w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire
2010-02-24 03:00 . 2010-02-24 03:00   20480   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
2010-02-24 03:00 . 2010-02-24 03:00   18944   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
2010-02-24 03:00 . 2010-02-24 03:00   17408   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
2010-02-24 03:00 . 2010-02-24 03:00   8192   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2010-02-24 03:00 . 2010-02-24 03:00   20480   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
2010-02-23 20:46 . 2010-03-11 14:37   419040   ----a-w-   c:\windows\system32\WMInstallMgrUninst.exe
2010-02-23 20:46 . 2010-03-11 14:37   62688   ----a-w-   c:\windows\system32\WMWebLauncherUninst.exe
2010-02-23 20:46 . 2010-03-11 14:37   255200   ----a-w-   c:\windows\system32\SystemObserver.dll
2010-02-23 20:46 . 2010-03-11 14:37   54496   ----a-w-   c:\windows\system32\GetInfoLauncher.exe
2010-02-23 13:14 . 2010-04-21 03:58   211968   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2010-02-23 13:14 . 2010-04-21 03:58   58368   ----a-w-   c:\windows\system32\drivers\mrxsmb20.sys
2010-02-23 13:14 . 2010-04-21 03:58   102400   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 23:47 . 2010-02-19 23:47   3604480   ----a-w-   c:\windows\system32\GPhotos.scr
2010-02-18 14:54 . 2010-04-21 03:58   3502480   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-02-18 14:54 . 2010-04-21 03:58   3468168   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-02-17 21:05 . 2010-02-18 00:50   397960   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxStarter.exe
2010-02-17 21:05 . 2010-02-18 00:10   168584   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxBrowserEngine.dll
2010-02-17 21:05 . 2010-02-17 21:05   217736   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxDvd.exe
2010-02-17 20:50 . 2010-02-17 20:50   1602184   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxClient.exe
2010-02-17 20:10 . 2010-02-17 20:10   344712   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxDvdEngine.dll
2010-02-17 20:10 . 2010-02-17 20:10   135816   ----a-w-   c:\users\Mommy and Daddy\AppData\Roaming\Smilebox\SmileboxUpdater.exe
2010-02-11 03:16 . 2010-02-11 03:16   41872   ----a-w-   c:\windows\system32\xfcodec.dll
2010-01-30 17:41 . 2010-01-30 17:41   282624   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\websrvcs.dll
2010-01-30 17:41 . 2010-01-30 17:41   200704   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\transformiix.dll
2010-01-30 17:41 . 2010-01-30 17:41   15872   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\xmlextras.dll
2010-01-30 17:41 . 2010-01-30 17:41   110592   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\universalchardet.dll
2010-01-30 17:41 . 2010-01-30 17:41   19968   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\pippki.dll
2010-01-30 17:41 . 2010-01-30 17:41   225280   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\pipnss.dll
2010-01-30 17:41 . 2010-01-30 17:41   20992   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\pipboot.dll
2010-01-30 17:41 . 2010-01-30 17:41   20480   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\autoconfig.dll
2010-01-30 17:41 . 2010-01-30 17:41   18944   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\appshell_modal.dll
2010-01-30 17:41 . 2010-01-30 17:41   17408   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\components\auth.dll
2010-01-30 17:41 . 2010-01-30 17:41   8192   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\AccessibleMarshal.dll
2010-01-30 17:41 . 2010-01-30 17:41   20480   ----a-w-   c:\users\Sean\AppData\Roaming\LimeWire\browser\xulrunner\IA2Marshal.dll
2010-01-25 12:58 . 2010-04-21 03:54   473088   ----a-w-   c:\windows\system32\secproc_isv.dll
2010-01-25 12:58 . 2010-04-21 03:54   154624   ----a-w-   c:\windows\system32\secproc_ssp_isv.dll
2010-01-25 12:58 . 2010-04-21 03:54   154112   ----a-w-   c:\windows\system32\secproc_ssp.dll
2010-01-25 12:58 . 2010-04-21 03:54   472576   ----a-w-   c:\windows\system32\secproc.dll
2010-01-25 12:56 . 2010-04-21 03:54   312320   ----a-w-   c:\windows\system32\msdrm.dll
2010-01-25 08:36 . 2010-04-21 03:54   435712   ----a-w-   c:\windows\system32\RMActivate_ssp.exe
2010-01-25 08:36 . 2010-04-21 03:54   515584   ----a-w-   c:\windows\system32\RMActivate.exe
2010-01-25 08:36 . 2010-04-21 03:54   431104   ----a-w-   c:\windows\system32\RMActivate_ssp_isv.exe
2010-01-25 08:35 . 2010-04-21 03:54   523776   ----a-w-   c:\windows\system32\RMActivate_isv.exe
.

------- Sigcheck -------

[-] 2009-03-30 . 74B6336C7ACC815483C2399BDD53EFCC . 245248 . . [6.0.6000.16386] . . c:\windows\System32\shsvcs.dll
[7] 2008-01-19 . 27F10F348E508243F6254846F8370D0D . 247296 . . [6.0.6001.18000] . . c:\windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-shsvcs_31bf3856ad364e35_6.0.6001.18000_none_cd305d2a1ced96e2\shsvcs.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-09-29 21:24   325000   ----a-w-   c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-29 325000]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Sean\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-08-29 133104]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-10-17 2920632]
"cdloader"="c:\users\Sean\AppData\Roaming\mjusbsp\cdloader2.exe" [2009-08-01 50520]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-10 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-08-23 1006264]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-07 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-22 538744]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-17 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

c:\users\Kimmy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-12-16 503808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Mises … jour planifi‚es.lnk - c:\program files\Quicken\bagent.exe [2003-4-18 53248]
M‚mento Quicken.lnk - c:\program files\Quicken\billmind.exe [2003-4-18 36864]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R2 gupdate1c9c8726becfc2b;Google Update Service (gupdate1c9c8726becfc2b);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-29 133104]
R2 mrtRate;mrtRate;

R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-15 2804788]
R3 XDva189;XDva189;c:\windows\system32\XDva189.sys

R3 XDva193;XDva193;c:\windows\system32\XDva193.sys

R3 XDva202;XDva202;c:\windows\system32\XDva202.sys

R3 XDva309;XDva309;c:\windows\system32\XDva309.sys

S1 aswSP;avast! Self Protection;

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-02-17 66632]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2006-11-02 22016]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-11-24 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-11-24 53328]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187B.sys [2007-06-01 252416]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-17 12872]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-04-06 23064]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai   REG_MULTI_SZ      Akamai
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-10 02:29]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-29 02:30]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-29 02:30]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3988202556-4294345629-2372359041-1003Core.job
- c:\users\Sean\AppData\Local\Google\Update\GoogleUpdate.exe [2008-07-11 23:46]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3988202556-4294345629-2372359041-1003UA.job
- c:\users\Sean\AppData\Local\Google\Update\GoogleUpdate.exe [2008-07-11 23:46]

2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{D3E6FF0B-1889-4DA0-85D0-4DB5C614576B}.job
- c:\windows\system32\msfeedssync.exe [2010-04-21 11:31]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.shoptoshiba.ca/welcome
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
DPF: {87A638DE-396F-40FD-A2F8-01B56072F553} - hxxp://download.gemfighter.com/launcher/gemx2.cab
DPF: {BD68328E-1222-4A62-BA16-E6F42CA49A64} - hxxp://gf.wemade.com/comsso/active/WMInstallMgr.cab
FF - ProfilePath - c:\users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\yq7b81t9.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1265259818&rver=6.0.5285.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefault.aspx&lc=1033&id=64855&mkt=en-us
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q=
FF - component: c:\users\Sean\AppData\Roaming\Mozilla\Firefox\Profiles\yq7b81t9.default\extensions\{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94}\components\FFExternalAlert.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Sean\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Sean\Program Files\DNA\plugins\npbtdna.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - fales
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.xul.error_pages.enabled - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 8191
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Fraps - c:\users\Sean\Desktop\Fraps\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-22 01:57
Windows 6.0.6000  NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


c:\windows\TEMP\TMP0000006CE42FA671EAFB0412 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-04-22  02:02:22
ComboFix-quarantined-files.txt  2010-04-22 06:02

Pre-Run: 45,322,604,544 bytes free
Post-Run: 47,394,820,096 bytes free

- - End Of File - - 73F15F2102F69EBC06AE56A8CCC8FBE8

[Dr Jay]

Please download Malwarebytes Anti-Malware from Malwarebytes.org.
Alternate link: BleepingComputer.com.
(Note: if you already have the program installed, just follow the directions. No need to re-download or re-install!)

Double Click mbam-setup.exe to install the application.

(Note: if you already have the program installed, open Malwarebytes from the Start Menu or Desktop shortcut, click the Update tab, and click Check for Updates, before doing the scan as instructed below!)

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If you are prompted to restart, please allow it to restart your computer. Failure to do this, will cause the infection to still be active on the computer.
• Please save the log to a location you will remember.
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• The log can also be found at C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt
  
• Copy and paste the entire report in your next reply.

==================

GMER

Note about this tool:

• This program may freeze. Do not reboot the computer, unless it has been frozen for over 30 minutes.
• This program may cause a blue screen of death. If it does, do not scan, and then reply to let me know.
• No matter what is in the log, please post all the information/contents of the log.

Please download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click NO
  
• In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  
• Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

• Click OK.
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  
• Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.