Author Topic: Need help - Trojan\Malware problem!!! (Read 28847 times)

Freddex · « **on:** September 16, 2010, 01:03:12 PM »

Hi guys,

When my computer got infected I started getting all kinds of popups of fake virus scans wanting to scan my computer. My AVG detected the viruses but could not get rid of them. Lucky for me I have another User profile on this computer which still worked pretty good.

I have already followed the "Read this before requesting malware removal help" procedure which has helped but now I am getting a RUNDLL error msg when 1 profile is loaded which states "ERROR LOADING C:\WINDOWS\LEXYPR.DLL THE SPECIFIED MODULE COULD NT BE FOUND".

When I load my other profile it now says "Windows cannot load the user's profile but has logged you on with the default profile for the system. DETAIL - The system has attempted to load or restore a file into the registry, but the specified file is not in a registry file format."

I will post my 3 logs below. Thanks in advance!!!

Freddex · « **Reply #1 on:** September 16, 2010, 01:04:36 PM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/14/2010 at 03:28 PM

Application Version : 4.35.1000

Core Rules Database Version : 5505
Trace Rules Database Version: 3317

Scan type : Complete Scan
Total Scan Time : 02:26:06

Memory items scanned : 397
Memory threats detected : 0
Registry items scanned : 5021
Registry threats detected : 12
File items scanned : 46829
File threats detected : 35

Trojan.Agent/Gen-Virut
   [cxwneomsar.tmp] C:\DOCUME~1\FREDDEX\LOCALS~1\TEMP\CXWNEOMSAR.TMP
   C:\DOCUME~1\FREDDEX\LOCALS~1\TEMP\CXWNEOMSAR.TMP
   [lsdefrag] C:\DOCUME~1\FREDDEX\LOCALS~1\TEMP\MWOASNRXEC.TMP
   C:\DOCUME~1\FREDDEX\LOCALS~1\TEMP\MWOASNRXEC.TMP
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\CXWNEOMSAR.TMP
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\MWOASNRXEC.TMP

Adware.IST/SideFind
   HKU\S-1-5-21-1862811806-3646181656-3495054330-1008\Software\Microsoft\Internet Explorer\Explorer Bars\{8CBA1B49-8144-4721-A7B1-64C578C9EED7}

Adware.Avenue Media/Internet Optimizer
   HKLM\SOFTWARE\Policies\Avenue Media

Registry Cleaner Trial
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\Backups\2004-11-01,11-00 38 249.zip
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\Backups\2004-11-01,11-03 53 280.zip
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\Backups\2005-01-05,20-31 18 680.zip
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\Backups\2005-01-05,20-33 20 680.zip
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\Backups
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner\RegClean.ini
   C:\Documents and Settings\sey administrator\Application Data\Registry Cleaner

Trojan.Spyware Stormer
   C:\Program Files\Spyware Stormer

Adware.IST/ISTBar (Slotch Bar)
   HKU\S-1-5-21-1862811806-3646181656-3495054330-1008\Software\Microsoft\Internet Explorer\Main#BandRest [ Never ]
   HKLM\SOFTWARE\Microsoft\Internet Explorer\Main#BandRest [ Never ]

Trojan.DNS-Changer (Hi-Jacked DNS)
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS\INTERFACES\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}#NAMESERVER
   HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS\INTERFACES\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}#NAMESERVER
   HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS\INTERFACES\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}#NAMESERVER
   HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\TCPIP\PARAMETERS#NAMESERVER
   HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\PARAMETERS#NAMESERVER
   HKLM\SYSTEM\CONTROLSET003\SERVICES\TCPIP\PARAMETERS#NAMESERVER

Malware.Trace
   C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

Adware.Tracking Cookie
   C:\Documents and Settings\Freddex\Cookies\[email protected][2].txt
   C:\Documents and Settings\Freddex\Cookies\freddex@adcentriconline[2].txt
   C:\Documents and Settings\Freddex\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@advertise[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[2].txt
   C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[3].txt
   C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt
   C:\Documents and Settings\NetworkService\Cookies\system@myroitracking[1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt
   C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt

Trojan.Agent/Gen-Frauder
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\APPLICATION DATA\6458883002.EXE
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\APPLICATION DATA\74511.EXE

Trojan.Agent/Gen-Falint
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\105.TMP
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\106.TMP
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\108.TMP
   C:\DOCUMENTS AND SETTINGS\FREDDEX\LOCAL SETTINGS\TEMP\10B.TMP

Trojan.Agent/Gen
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{E759405A-2405-40DD-8B5A-1C3C5A4575E4}\RP3\A0003097.RBF

Freddex · « **Reply #2 on:** September 16, 2010, 01:05:29 PM »

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4621

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

9/15/2010 8:58:46 PM
mbam-log-2010-09-15 (20-58-46).txt

Scan type: Quick scan
Objects scanned: 165488
Time elapsed: 23 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 114

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{700016cf-23e4-16cb-9f2e-730a000091e1} (Rogue.SpywareNukerXT) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{10e42047-deb9-4535-a118-b3f6ec39b807} (Adware.ISTBar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\59t4 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\AdCache (AdWare.Cydoor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\spool\prtprocs\w32x86\793mY9c.dll (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\7aAA7k3.dll (Trojan.FraudPack) -> Quarantined and deleted successfully.
C:\WINDOWS\lexypr.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_1_630700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_1_630800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_1_630900.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_1_631100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_2_506200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_2_514100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_2_570000.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_2_571600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_192700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_192800.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_192900.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_298400.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_612800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_613000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_614100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_626200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_3_628000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_235100.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252300.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252300.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252400.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252600.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252700.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_252800.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_253000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_253000.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_253100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_253100.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_309000.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_311800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_311800.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_317200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_317200.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_322400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_322400.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_322500.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_322500.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_323500.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344200.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344300.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344400.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344500.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_344700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_356100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_356100.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_356200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_356200.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_378600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379200.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379300.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379400.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379500.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_379700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_397500.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_397600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_397700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_596200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_596200.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_0_4_630000.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_329000.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_329000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_330800.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_330800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_373600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_0_373600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_324400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_324400.jpg (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_324600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_324600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_371500.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_371800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_371900.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_373600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_373600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_551400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_552900.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_612100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_645900.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_1_664000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_259700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_259700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_583400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_617700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_622000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_638700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_638700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_640800.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_640800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_2_678300.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_3_355600.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_3_355600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_3_386800.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_3_386900.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_149700.gif (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_149700.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_599200.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_599200.swf (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_622000.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_338_2_4_623600.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_513500.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_609500.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_613100.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AdCache\B_630400.htm (AdWare.Cydoor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Freddex\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Freddex · « **Reply #3 on:** September 16, 2010, 01:06:06 PM »

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:08 AM, on 9/16/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2077543
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = ${URL_SEARCHPAGE}
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: (no name) - {5BF1C88C-D1BA-CB91-DEE3-D15570960A50} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {68378ECE-15E1-5C8B-C455-6B27BBABB3B5} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll
O2 - BHO: - {BB80BF29-74E0-4D71-81D5-051CE6FB0779} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Search - {46F480C6-E57A-F3CC-02F6-288F099A705B} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: Download Energy Toolbar - {ad708c09-d51b-45b3-9d28-4eba2681febf} - C:\Program Files\Download_Energy\tbDow0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [q72g3sX] wexc16gt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Jfarorerewe] rundll32.exe "C:\WINDOWS\icehiqijoyiqopa.dll",Startup
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [bwtmRibtX] winodemx.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Companion\Modules\messmod2\v4\yhexbmes.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Support - {CB2A1F6B-23BB-4FAE-9B90-318D7028C88E} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: AVG Firewall (avgfws9) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgfws9.exe
O23 - Service: AVG9IDSAgent (AVGIDSAgent) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Google Update Service (gupdate1cacadbef3afef0) (gupdate1cacadbef3afef0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: PC Tools Startup and Shutdown Monitor service (PCToolsSSDMonitorSvc) - PC Tools - C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10000 bytes

SuperDave · « **Reply #4 on:** September 17, 2010, 12:32:23 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

C:\WINDOWS\System32\shdocvw.dll

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
*******************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O2 - BHO: (no name) - {5BF1C88C-D1BA-CB91-DEE3-D15570960A50} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {68378ECE-15E1-5C8B-C455-6B27BBABB3B5} - (no file)
O2 - BHO: - {BB80BF29-74E0-4D71-81D5-051CE6FB0779} - (no file)
O3 - Toolbar: Search - {46F480C6-E57A-F3CC-02F6-288F099A705B} - (no file)
O4 - HKLM\..\Run: [q72g3sX] wexc16gt.exe
O4 - HKLM\..\Run: [Jfarorerewe] rundll32.exe "C:\WINDOWS\icehiqijoyiqopa.dll",Startup
O4 - HKCU\..\Run: [bwtmRibtX] winodemx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

***********************************
Please download ComboFix

from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

***********************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Freddex · « **Reply #5 on:** September 17, 2010, 10:19:36 PM »

Hi Dave,

Thanks for your reply. Here's the Jotti scan link.

http://virusscan.jotti.org/en/scanresult/ce6d6f861cf8a4ab40b8be79a534c7f69c61848d

Freddex · « **Reply #6 on:** September 18, 2010, 12:18:02 AM »

Dave,

I have AVG 9.0 and I have deactivated the Link Scanner, Resident Shield, and Email Scanner (not fully functional) as per the instructions you provided but I'm still getting the warning from ComboFix that AVG is active. So I have not yet run the ComboFix because of this message. Please let me know how I should proceed.

Tks,
Fred

SuperDave · « **Reply #7 on:** September 18, 2010, 01:32:19 PM »

The Resident Shield is the main component of AVG. Go ahead and run the scan.

Freddex · « **Reply #8 on:** September 22, 2010, 05:02:07 PM »

Hi Dave,
I have followed the steps you gave me so here are my logs.

Tks,
Fred

Freddex · « **Reply #9 on:** September 22, 2010, 05:04:06 PM »

ComboFix 10-09-20.02 - sey administrator 09/21/2010 0:44.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.198 [GMT -4:00]
Running from: c:\documents and settings\sey administrator\desktop\commy.exe
Command switches used :: /stepdel
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
PEV Error: AppFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Freddex\.COMMgr
c:\documents and settings\Freddex\Local Settings\Application Data\{3A003BEE-46AE-4397-805A-7F9373466871}
c:\documents and settings\sey administrator\Local Settings\Application Data\{9F932E84-ECFC-4D16-976D-3A3B4AEB3EF8}
c:\program files\CxtPls
c:\windows\desktop
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\Freddex\Local Settings\Application Data\{3A003BEE-46AE-4397-805A-7F9373466871}\chrome.manifest
c:\documents and settings\Freddex\Local Settings\Application Data\{3A003BEE-46AE-4397-805A-7F9373466871}\chrome\content\_cfg.js
c:\documents and settings\Freddex\Local Settings\Application Data\{3A003BEE-46AE-4397-805A-7F9373466871}\chrome\content\overlay.xul
c:\documents and settings\Freddex\Local Settings\Application Data\{3A003BEE-46AE-4397-805A-7F9373466871}\install.rdf
c:\documents and settings\sey administrator\Local Settings\Application Data\{9F932E84-ECFC-4D16-976D-3A3B4AEB3EF8}\chrome.manifest
c:\documents and settings\sey administrator\Local Settings\Application Data\{9F932E84-ECFC-4D16-976D-3A3B4AEB3EF8}\chrome\content\_cfg.js
c:\documents and settings\sey administrator\Local Settings\Application Data\{9F932E84-ECFC-4D16-976D-3A3B4AEB3EF8}\chrome\content\overlay.xul
c:\documents and settings\sey administrator\Local Settings\Application Data\{9F932E84-ECFC-4D16-976D-3A3B4AEB3EF8}\install.rdf
c:\program files\INSTALL.LOG
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Microsoft\DesktopLayer.exe
c:\windows\desktop\Compaq Knowledge Center.lnk
c:\windows\icehiqijoyiqopa.dll
c:\windows\system32\instsrv.exe
c:\windows\system32\O.BAT

Infected copy of c:\windows\system32\drivers\avgtdix.sys was found and disinfected
Restored copy from - Kitty had a snack :p
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-08-21 to 2010-09-21 )))))))))))))))))))))))))))))))
.

2010-09-20 20:14 . 2010-09-21 04:58   --------   d-----w-   c:\program files\sys231
2010-09-18 06:16 . 2010-09-18 06:16   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\AVG9
2010-09-16 17:03 . 2010-09-16 17:04   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-16 05:52 . 2010-09-16 05:52   --------   d-----w-   c:\program files\Trend Micro
2010-09-16 04:44 . 2010-07-17 09:00   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-09-15 18:04 . 2010-09-15 18:04   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Malwarebytes
2010-09-15 18:03 . 2010-04-29 19:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 18:03 . 2010-09-15 18:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-15 18:02 . 2010-04-29 19:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-09-15 18:02 . 2010-09-15 18:04   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-15 04:49 . 2010-09-15 04:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\PCToolsFirewallPlus
2010-09-14 16:25 . 2010-09-20 20:40   95744   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-14 16:25 . 2010-09-20 20:40   161280   ----a-w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-09-14 16:24 . 2010-09-14 16:24   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\SUPERAntiSpyware.com
2010-09-14 16:20 . 2010-09-14 16:20   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-09-14 15:58 . 2010-09-14 15:58   --------   d-----w-   c:\program files\CCleaner
2010-09-14 15:45 . 2010-09-14 15:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\PCToolsFirewallPlus
2010-09-14 15:41 . 2009-11-23 17:54   88040   ----a-w-   c:\windows\system32\drivers\PCTAppEvent.sys
2010-09-14 15:41 . 2009-11-09 15:20   207792   ----a-w-   c:\windows\system32\drivers\PCTCore.sys
2010-09-14 15:41 . 2010-01-07 16:40   233136   ----a-w-   c:\windows\system32\drivers\pctgntdi.sys
2010-09-14 15:40 . 2010-01-12 13:34   70664   ----a-w-   c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2010-09-14 15:40 . 2010-01-07 15:35   58816   ----a-w-   c:\windows\system32\drivers\pctNdis.sys
2010-09-14 15:40 . 2010-01-07 15:35   32680   ----a-w-   c:\windows\system32\drivers\pctNdis-DNS.sys
2010-09-14 15:40 . 2010-01-13 12:59   115216   ----a-w-   c:\windows\system32\drivers\pctplfw.sys
2010-09-14 15:40 . 2010-09-16 05:41   --------   d-----w-   c:\program files\PC Tools Firewall Plus
2010-09-11 21:36 . 2010-09-11 21:36   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2010-09-11 21:22 . 2010-09-21 04:01   0   ----a-w-   c:\windows\Tfiko.bin
2010-09-11 21:22 . 2010-09-21 02:45   120   ----a-w-   c:\windows\Qwavifetahefozu.dat
2010-09-11 21:16 . 2010-09-13 17:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\C48C287A5F27A887A3E6CDBB287BDE57
2010-09-04 18:14 . 2010-09-04 22:37   --------   d-----w-   c:\documents and settings\Freddex\Application Data\FileZilla
2010-09-04 18:13 . 2010-09-16 05:54   --------   d-----w-   c:\program files\Filezilla 3.3.2.1
2010-08-31 00:39 . 2010-08-31 00:39   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\IObit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-21 05:02 . 2009-11-10 22:50   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Gymu
2010-09-21 05:01 . 2010-01-05 23:15   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-09-21 05:01 . 2010-02-21 18:58   --------   d-----w-   c:\program files\QuickTime
2010-09-21 04:58 . 2010-01-01 16:11   --------   d-----w-   c:\program files\Microsoft
2010-09-20 20:40 . 2010-03-31 20:32   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-501e625d-n\msvcr71.dll
2010-09-20 20:40 . 2010-05-28 16:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-367bd4db-n\msvcr71.dll
2010-09-20 20:39 . 2010-08-09 00:56   393216   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcr71.dll
2010-09-20 20:30 . 2010-03-23 23:46   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-34777ea4-n\msvcr71.dll
2010-09-20 20:30 . 2010-05-25 23:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-47f9ff1d-n\msvcr71.dll
2010-09-20 20:29 . 2010-08-03 02:18   393216   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcr71.dll
2010-09-16 16:29 . 2010-03-23 22:54   --------   d-----w-   c:\program files\DivX
2010-09-16 16:29 . 2010-02-21 21:01   --------   d-----w-   c:\program files\LimeWire Music
2010-09-16 05:54 . 2001-09-19 06:51   --------   d-----w-   c:\program files\Microsoft Works
2010-09-16 04:44 . 2010-03-23 23:42   --------   d-----w-   c:\program files\Java
2010-09-14 15:41 . 2010-01-05 23:15   --------   d-----w-   c:\program files\Common Files\PC Tools
2010-09-14 15:04 . 2010-02-21 21:02   --------   d-----w-   c:\program files\ToggleEN
2010-09-14 14:13 . 2010-05-29 21:46   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\Skype
2010-09-14 14:02 . 2010-09-13 15:55   112   ----a-w-   c:\documents and settings\All Users\Application Data\r5NCJ5GrW.dat
2010-09-11 20:32 . 2010-04-14 21:49   --------   d-----w-   c:\documents and settings\Freddex\Application Data\uTorrent
2010-09-11 16:49 . 2010-07-01 19:46   --------   d-----w-   c:\documents and settings\Freddex\Application Data\LimeWire Music
2010-09-05 14:20 . 2010-01-01 16:20   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-31 02:30 . 2010-02-21 21:01   --------   d-----w-   c:\program files\Download_Energy
2010-08-22 07:09 . 2010-04-18 15:57   --------   d-----w-   c:\documents and settings\Freddex\Application Data\Skype
2010-08-14 16:09 . 2010-03-23 22:52   --------   d-----w-   c:\documents and settings\All Users\Application Data\DivX
2010-08-11 13:18 . 2010-01-05 23:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-08-09 00:56 . 2010-08-09 00:56   503808   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\msvcp71.dll
2010-08-09 00:56 . 2010-08-09 00:56   499712   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-61f91632-n\jmc.dll
2010-08-09 00:56 . 2010-08-09 00:56   61440   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-sse.dll
2010-08-09 00:56 . 2010-08-09 00:56   12800   ----a-w-   c:\documents and settings\sey administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1ab01405-n\decora-d3d.dll
2010-08-03 02:18 . 2010-08-03 02:18   503808   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\msvcp71.dll
2010-08-03 02:18 . 2010-08-03 02:18   499712   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-7c91b2a5-n\jmc.dll
2010-08-03 02:18 . 2010-08-03 02:18   61440   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-sse.dll
2010-08-03 02:18 . 2010-08-03 02:18   12800   ----a-w-   c:\documents and settings\Freddex\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-51d40a07-n\decora-d3d.dll
2010-07-31 17:45 . 2010-02-21 21:01   --------   d-----w-   c:\documents and settings\sey administrator\Application Data\LimeWire Music
2010-07-16 13:30 . 2010-01-05 23:49   243024   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-07-16 13:30 . 2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-07-16 13:29 . 2010-01-05 23:49   25168   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2010-07-16 13:28 . 2010-01-05 23:49   216400   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
.

Code: [Select]

<pre>
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\COMPAQ\Coloreal\coloreal .exe
c:\program files\COMPAQ\Easy Access Button Support\StartEAK .exe
c:\program files\IObit\Advanced SystemCare 3\AWC .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\Microsoft Works\WkDetect .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\Skype\Phone\Skype .exe
c:\program files\Windows Live\Messenger\msnmsgr .exe
c:\windows\system32\rundll32 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25   2117704   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ad708c09-d51b-45b3-9d28-4eba2681febf}]
2010-09-21 03:45   2735200   ----a-w-   c:\program files\Download_Energy\tbDow1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{ad708c09-d51b-45b3-9d28-4eba2681febf}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]
"{AD708C09-D51B-45B3-9D28-4EBA2681FEBF}"= "c:\program files\Download_Energy\tbDow1.dll" [2010-09-21 2735200]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{ad708c09-d51b-45b3-9d28-4eba2681febf}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr .exe" [2009-07-26 3883856]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [N/A]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [N/A]
"{257715E4-3F57-82F0-2A8F-9F44FF99EE07}"="c:\documents and settings\sey administrator\Application Data\Nave\goic.exe" [2006-09-07 145408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2001-08-08 143360]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2001-08-08 90112]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [N/A]
"Microsoft Works Portfolio"="c:\program files\Microsoft Works\WksSb.exe" [2000-07-13 311350]
"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]
"EPSON Stylus C44 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S09IC1.EXE" [2002-12-25 75776]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2010-01-12 3168216]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Jfarorerewe"="c:\windows\icehiqijoyiqopa.dll" [N/A]
"nonep"="c:\docume~1\SEYADM~1\LOCALS~1\Temp\tmp0ae15bd7\KillEXE.exe" [2010-09-21 368128]

c:\documents and settings\Freddex\Start Menu\Programs\Startup\
hoip.exe [2010-9-21 145408]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
ybykl.exe [2010-9-21 145408]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
ewgy.exe [2010-9-21 145408]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:30   12536   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\LimeWire Music\\LimeWire Music.exe"=
"c:\\Program Files\\WinMX\\WinMX.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [1/5/2010 7:49 PM 25168]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [1/5/2010 7:49 PM 52872]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/5/2010 7:49 PM 216400]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/5/2010 7:49 PM 243024]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [9/14/2010 11:41 AM 233136]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/16/2010 9:28 AM 921952]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:29 AM 308136]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [7/16/2010 9:28 AM 2331032]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [9/14/2010 11:41 AM 88040]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [1/5/2010 7:15 PM 583640]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [1/5/2010 7:49 PM 122448]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [1/5/2010 7:48 PM 30288]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [1/5/2010 7:48 PM 26192]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [9/14/2010 11:40 AM 70664]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [9/14/2010 11:40 AM 58816]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [9/14/2010 11:40 AM 115216]
R3 SUNPLUS;SightCAM PC-100p;c:\windows\system32\drivers\spixnew.sys [1/21/2010 6:10 PM 95528]
S1 EACMOS;EACMOS;c:\windows\system32\drivers\EACMOS.SYS --> c:\windows\system32\drivers\EACMOS.SYS [?]
S2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [7/16/2010 9:29 AM 5897808]
S2 gupdate1cacadbef3afef0;Google Update Service (gupdate1cacadbef3afef0);c:\program files\Google\Update\GoogleUpdate.exe [3/23/2010 6:55 PM 133104]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [1/5/2010 7:48 PM 30104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-09-21 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2010-04-14 18:11]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2010-09-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-23 22:54]

2004-09-01 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]

2004-09-01 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\System32\OOBE\oobebaln.exe [2004-09-20 07:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\sey administrator\Application Data\Mozilla\Firefox\Profiles\3mmgr645.default\
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-21 01:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ACTIVEX_REPURPOSEDETECTION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_IMG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00001f40

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_Cross_Domain_Redirect_Mitigation]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_TELNET_PROTOCOL]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001
"sllauncher.exe"=dword:00000000
"PresentationHost.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FORCE_ADDR_AND_STATUS]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000006
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_OBJECT_DATA_ATTRIBUTE]
@DACL=(02 0000)
"WindowsLiveWriter.exe"=dword:00000001
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_RES_TO_LMZ]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_APP_PROTOCOL_WARN_DIALOG]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX]
@DACL=(02 0000)
"PresentationHost.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VIEWLINKEDWEBOC_IS_UNSAFE]
@DACL=(02 0000)
"sllauncher.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\NdisWanIp]
@DACL=(02 0000)
"LLInterface"="WANARP"
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{E2E03A56-F650-49AD-9458-84AC5A26824B}\00Tcpip\\Parameters\\Interfaces\\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}\00Tcpip\\Parameters\\Interfaces\\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}\00Tcpip\\Parameters\\Interfaces\\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}\00\00"
"NumInterfaces"=dword:00000004
"IpInterfaces"=hex:56,3a,e0,e2,50,f6,ad,49,94,58,84,ac,5a,26,82,4b,6b,83,1e,9d,
a1,dd,f1,48,82,5d,3b,e1,4b,2c,29,0c,4e,a5,15,92,aa,3e,c2,4d,8e,fe,47,31,c2,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{6DE38E76-6721-44BE-B4B6-A8A60FA66767}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Adapters\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"LLInterface"=""
"IpConfig"=multi:"Tcpip\\Parameters\\Interfaces\\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{0AA05CFB-0DDF-48E4-ABE8-1E78BE894167}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{2F865EAA-DF52-4F83-B627-C01FA56AB1B5}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{6F8E307F-9A7C-408A-AFAF-3615FCFA4CEF}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpClassIdBin"=hex:
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9215A54E-3EAA-4DC2-8EFE-4731C26E1349}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{93DFA675-845C-4FB9-B057-A889D11F364B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{9D1E836B-DDA1-48F1-825D-3BE14B2C290C}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
"NTEContextList"=multi:"\00"
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="0.0.0.0"
"Domain"=""
"NameServer"=""
"RegistrationEnabled"=dword:00000000
"DhcpClassIdBin"=hex:
"RegisterAdapterName"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{B006CFFA-964A-4BFA-84AB-6CB924F4DB19}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDeadGWDetect"=dword:00000001
"EnableDHCP"=dword:00000001
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"DefaultGatewayMetric"=multi:"\00"
"NameServer"=""
"Domain"=""
"RegistrationEnabled"=dword:00000001
"RegisterAdapterName"=dword:00000000
"TCPAllowedPorts"=multi:"0\00\00"
"UDPAllowedPorts"=multi:"0\00\00"
"RawIPAllowedProtocols"=multi:"0\00\00"
"NTEContextList"=multi:"0x00000003\00\00"
"DhcpClassIdBin"=hex:

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{E2E03A56-F650-49AD-9458-84AC5A26824B}]
@DACL=(02 0000)
"UseZeroBroadcast"=dword:00000000
"EnableDHCP"=dword:00000000
"IPAddress"=multi:"0.0.0.0\00\00"
"SubnetMask"=multi:"0.0.0.0\00\00"
"DefaultGateway"=multi:"\00"
"EnableDeadGWDetect"=dword:00000001
"DontAddDefaultGateway"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1204)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\system32\pctspk.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-09-21 01:11:07 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-21 05:10

Pre-Run: 10,666,930,176 bytes free
Post-Run: 10,457,047,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - F21AAF59933A3D314E074E13866A7423

Freddex · « **Reply #10 on:** September 22, 2010, 05:05:27 PM »

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 2
Out of date service pack!!
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG 9.0
PC Tools Firewall Plus 6.0
```````````````````````````````
Anti-malware/Other Utilities Check:
Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.0.45.2
Adobe Reader 9.3
Mozilla Firefox (3.6.10) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
````````````````````````````````
DNS Vulnerability Check:

``````````End of Log````````````

SuperDave · « **Reply #11 on:** September 22, 2010, 07:12:45 PM »

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\Tfiko.bin
c:\windows\Qwavifetahefozu.dat

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
********************************************
P2P - I see you have P2P software installed on your machine (LimeWire Music). We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
******************************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

DirLook::
c:\program files\sys231

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] Jfarorerewe"="c:\windows\icehiqijoyiqopa.dll
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] nonep"="c:\docume~1\SEYADM~1\LOCALS~1\Temp\tmp0ae15bd7\KillEXE.exe
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

**********************************
* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

Freddex · « **Reply #12 on:** September 25, 2010, 04:14:13 PM »

http://virusscan.jotti.org/en/scanresult/1504c3b60dec8647f73f2d2c453278b6fd32f70d

Freddex · « **Reply #13 on:** September 25, 2010, 04:17:11 PM »

The Jotti scan is giving me the "file is empty" messge for C:\WINDOWS\Tfiko.bin file.

SuperDave · « **Reply #14 on:** September 25, 2010, 05:09:30 PM »

Please download 7-Zip and install it. If you already have it, no need to reinstall.

Then, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

Computer Hope Forum

News:

Author Topic: Need help - Trojan\Malware problem!!! (Read 28847 times)

Freddex

Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

Freddex

Re: Need help - Trojan\Malware problem!!!

SuperDave

Re: Need help - Trojan\Malware problem!!!