Author Topic: .exe Bad Image issue (Read 13708 times)

sputniked · « **on:** January 08, 2010, 01:00:09 AM »

Basically i've come home for the holidays to find my sister had almost obliterated the home computer. I managed to get rid of lots of Ad/Spyware with Searchbot, 3 viruses picked up by a very out of date Norton Security and Antivir, and then 7 (my sister is careless) trojan horses after I removed Norton in exchange for the newest edition on AVG. But mozilla seems to be the only thing affected now as every attempt to run the programme just gets a pop-up saying:
The application of DLL C:\Program Files\Mozilla Firefox\xul.dll is not a valid Windows image. Please check this against your installation diskette.

This seems to be the only programme that i've found that gives me that.
I'm running Windows XP Home Edition SP3 on a Dell desktop (if that helps =)...)

I'm attaching the logs and copy and pasting them below.

p.s My sister always has her iPod plugged in to shift around films, would it be wise to run all these checks on her iPod aswell?? Her old one had an infection before.

Thanks.
_______________________________________ __________
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/08/2010 at 05:27 AM

Application Version : 4.33.1000

Core Rules Database Version : 4459
Trace Rules Database Version: 2280

Scan type : Complete Scan
Total Scan Time : 02:56:16

Memory items scanned : 524
Memory threats detected : 0
Registry items scanned : 6111
Registry threats detected : 7
File items scanned : 123509
File threats detected : 154

MyWay Search Assistant Computers
   HKLM\Software\Classes\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
   HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
   HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}
   HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32
   HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\InprocServer32#ThreadingModel
   HKCR\CLSID\{4D25F926-B9FE-4682-BF72-8AB8210D6D75}\Programmable
   C:\PROGRAM FILES\MYWAYSA\SRCHASDE\1.BIN\DESRCAS.DLL
   HKU\S-1-5-21-1684091330-3342741118-4197664105-1014\Software\Microsoft\Internet Explorer\URLSearchHooks#{4D25F926-B9FE-4682-BF72-8AB8210D6D75}

Adware.Tracking Cookie
   C:\Documents and Settings\the girl\Cookies\the_girl@atdmt[2].txt
   C:\Documents and Settings\the girl\Cookies\the_girl@statcounter[1].txt
   C:\Documents and Settings\the girl\Cookies\the_girl@adbrite[1].txt
   C:\Documents and Settings\the girl\Cookies\the_girl@doubleclick[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@2o7[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@advertising[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@atdmt[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@bluestreak[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@bravenet[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@casalemedia[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@doubleclick[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad\Cookies\dad@fastclick[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@hitbox[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@maxserving[2].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad\Cookies\dad@mediaplex[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@revsci[1].txt
   C:\Documents and Settings\Dad\Cookies\dad@serving-sys[2].txt
   C:\Documents and Settings\Dad\Cookies\dad@statcounter[1].txt
   C:\Documents and Settings\Dad\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@adecn[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@adrevolver[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@adtech[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@advertising[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@adviva[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][3].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@atdmt[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@atwola[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@bluestreak[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@burstnet[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@doubleclick[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@imrworldwide[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@insightexpressai[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][3].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@mediaplex[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@overture[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@questionmarket[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@revsci[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][3].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@serving-sys[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@specificclick[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@tacoda[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@tradedoubler[2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@tribalfusion[1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][2].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\[email protected][1].txt
   C:\Documents and Settings\Dad.SAKURA\Cookies\dad@zedo[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@adecn[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@adrevolver[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@adtech[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@advertising[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@adviva[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@atdmt[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@bluestreak[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@doubleclick[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@imrworldwide[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][3].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@mediaplex[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@serving-sys[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@specificclick[2].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\finance_office@tradedoubler[1].txt
   C:\Documents and Settings\FINANCE OFFICE\Cookies\[email protected][1].txt
   .122.2o7.net [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .122.2o7.net [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .122.2o7.net [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .adknowledge.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .advertising.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .as-eu.falkag.net [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .atdmt.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .atwola.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .maxserving.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .maxserving.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .questionmarket.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   .stats.channel4.com [ C:\Documents and Settings\Mum\Application Data\Mozilla\Firefox\Profiles\m7gxrpoj.default\cookies.txt ]
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\mum@adknowledge[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\mum@advertising[2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@apmebf[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@atdmt[2].txt
   C:\Documents and Settings\Mum\Cookies\mum@burstnet[2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@casalemedia[2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@doubleclick[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@fastclick[2].txt
   C:\Documents and Settings\Mum\Cookies\mum@hitbox[1].txt
   C:\Documents and Settings\Mum\Cookies\mum@hypertracker[1].txt
   C:\Documents and Settings\Mum\Cookies\mum@kanoodle[1].txt
   C:\Documents and Settings\Mum\Cookies\mum@maxserving[2].txt
   C:\Documents and Settings\Mum\Cookies\mum@mediaplex[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@qksrv[2].txt
   C:\Documents and Settings\Mum\Cookies\mum@questionmarket[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\mum@statcounter[2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\mum@tacoda[2].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][2].txt
   C:\Documents and Settings\Mum\Cookies\mum@tradedoubler[1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\[email protected][1].txt
   C:\Documents and Settings\Mum\Cookies\mum@zedo[1].txt
_______________________________________ __________

Malwarebytes' Anti-Malware 1.44
Database version: 3514
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

08/01/2010 07:44:46
mbam-log-2010-01-08 (07-44-46).txt

Scan type: Quick Scan
Objects scanned: 164065
Time elapsed: 15 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 9
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rundll32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wab (Trojan.Dropper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\aux2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\midi2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\mixer2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave1 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\wave2 (Hijack.Sound) -> Bad: (C:\DOCUME~1\THEGIR~1\APPLIC~1\MACROM~1\Common\fb03a04a1.dll) Good: (wdmaud.drv) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
C:\Documents and Settings\the girl\Application Data\Macromedia\Common\fb03a04a1.dll (Hijack.Sound) -> Quarantined and deleted successfully.
C:\WINDOWS\msacm32.drv (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wuasirvy.dll (Trojan.Banker) -> Quarantined and deleted successfully.
_______________________________________ __________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59:02, on 08/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html?p=DK
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 11648 bytes

[Saving space, attachment deleted by admin]

SuperDave · « **Reply #1 on:** January 08, 2010, 05:42:55 PM »

Hello sputniked and welcome to Computer Hope Forum. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Quote

p.s My sister always has her iPod plugged in to shift around films, would it be wise to run all these checks on her iPod aswell?? Her old one had an infection before.

You can run these scans on the iPod. Since I don't own an iPod, I can't advise you how to do this. I suppose you would just connect the iPod and tell the programs to scan it.

Norton is a difficult program to remove entirely. Here's a tool to remove all traces.

Download the Norton Removal Tool (SymNRT) to your desktop.

Once downloaded please close ALL open browsers, also save any work because this may require a restart.

* Go to your desktop and double click on the 'Norton_Removal_Tool' and then click Setup.
* Once open Click Next
* Accept the license agreement and click Next
* Type in the letters/numbers that you see into the text box then click Next.
* Then click Next and the tool will start running.
* Once finished restart the PC.
* Delete the 'Norton_Removal_Tool' from your desktop.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

Download ComboFix by sUBs from one of the below links. Be sure to save it to the Desktop.

link # 1
link #2

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Vista users Right-click combofix.exe and select Run as Administrator and follow the prompts.
Double-click combofix.exe and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

sputniked · « **Reply #2 on:** January 10, 2010, 05:07:16 AM »

Hi SD, thanks for the help
sorry for the long reply, but here are the logs.
_______________________________
ComboFix 10-01-04.01 - the girl 10/01/2010 11:41:48.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.133 [GMT 0:00]
Running from: c:\documents and settings\the girl\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-08 07:54 . 2010-01-08 07:54   --------   d-----w-   c:\program files\Trend Micro
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\the girl\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-08 07:27 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-08 02:20 . 2010-01-08 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com
2010-01-08 02:18 . 2010-01-08 02:18   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-08 00:47 . 2010-01-08 00:48   --------   d-----w-   c:\program files\CCleaner
2010-01-07 19:49 . 2010-01-07 20:44   --------   d-----w-   C:\$AVG
2010-01-07 19:49 . 2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-07 19:49 . 2010-01-07 19:49   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-07 19:49 . 2010-01-07 19:49   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-07 19:49 . 2010-01-07 19:49   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-07 19:49 . 2010-01-10 09:01   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-07 19:49 . 2010-01-07 20:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\program files\AVG
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-01-03 11:16 . 2010-01-03 11:16   --------   d-----w-   c:\documents and settings\FINANCE OFFICE\Local Settings\Application Data\Adobe
2009-12-29 14:31 . 2009-12-29 14:31   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2009-12-29 11:17 . 2009-12-29 11:17   --------   d-----w-   C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 02:21 . 2010-01-08 02:21   52224   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-08 02:20 . 2010-01-08 02:20   117760   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-08 01:20 . 2007-08-11 21:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-07 23:57 . 2005-08-29 11:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-07 20:02 . 2009-07-17 17:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-01-07 20:02 . 2009-01-15 23:00   --------   d-----w-   c:\program files\Norton Security Scan
2010-01-07 18:18 . 2009-08-22 21:33   --------   d-----w-   c:\program files\DivX
2010-01-07 18:09 . 2007-08-11 21:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-07 17:41 . 2007-08-11 20:45   --------   d-----w-   c:\program files\AVPersonal
2010-01-07 12:52 . 2009-11-08 10:12   --------   d-----w-   c:\documents and settings\the girl\Application Data\U3
2010-01-07 12:22 . 2009-06-19 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-05 14:19 . 2005-08-29 10:57   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-05 14:16 . 2009-04-21 15:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kontiki
2009-12-30 23:31 . 2009-12-16 21:09   25600   ----a-w-   c:\documents and settings\the girl\Application Data\Macromedia\Common\fb03a04a19.exe
2009-12-29 14:35 . 2009-12-24 19:58   25600   ----a-w-   c:\documents and settings\LocalService\Application Data\Macromedia\Common\fb03a04a19.exe
2009-12-29 11:41 . 2009-12-22 20:38   25600   ----a-w-   c:\documents and settings\NetworkService\Application Data\Macromedia\Common\fb03a04a19.exe
2009-11-26 18:25 . 2009-11-26 18:25   --------   d-----w-   c:\program files\ ContentGenerator.net Fling the Teacher
2009-11-25 13:01 . 2010-01-07 20:00   1230080   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 14:37 . 2009-11-03 14:37   79144   -c--a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2004-08-10 11:51   832512   ----a-w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 11:51   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:51   270336   ----a-w-   c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-10 11:51   149504   ----a-w-   c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-10 11:51   79872   ----a-w-   c:\windows\system32\raschap.dll
2005-08-01 23:08 . 2007-08-11 20:43   13691401   -c--a-w-   c:\program files\PowerDVD6_trial_ENU.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
1999-07-07 00:00 . 2007-08-11 20:30   6   -csha-r-   c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01   1230080   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-01-29 2303216]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-18 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-07 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\the girl\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^the girl^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\the girl\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8983:TCP"= 8983:TCP:qtkoxvn

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/01/2010 19:49 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/01/2010 19:49 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [07/01/2010 19:48 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [05/10/2009 16:33 54752]
S2 taigdofai;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 11:51 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 lkvptpyxx;lkvptpyxx;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
taigdofai
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 11:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16?

?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lkvptpyxx]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\taigdofai]
"ServiceDll"="c:\windows\system32\oxswx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3280)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-10 11:58:53
ComboFix-quarantined-files.txt 2010-01-10 11:58
ComboFix2.txt 2010-01-09 18:38

Pre-Run: 94,298,148,864 bytes free
Post-Run: 94,261,305,344 bytes free

- - End Of File - - 60D7576C3EAC576EA7670F93FE3F0EB6

_______________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:45, on 10/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10419 bytes

SuperDave · « **Reply #3 on:** January 10, 2010, 10:54:38 AM »

I noticed in your log that you are running a P2P file-sharing program (Limewire) on your computer. While the program itself is probably safe, the files you download with this program are a major source of infections. Therefore, I strongly urge you to uninstall it.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

File::
c:\windows\system32\01.tmp

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

sputniked · « **Reply #4 on:** January 10, 2010, 01:58:58 PM »

thank you
and yup yup Limewires been uninstalled.
Whilst I was doing that the ESET scan my AVG picked up some of the files too, is that ok or should I usually turn it off when im doing these scans?

Heres the logs:
_________________________________
ComboFix 10-01-04.01 - the girl 10/01/2010 18:31:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.283 [GMT 0:00]
Running from: c:\documents and settings\the girl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\the girl\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\system32\01.tmp"
.

((((((((((((((((((((((((( Files Created from 2009-12-10 to 2010-01-10 )))))))))))))))))))))))))))))))
.

2010-01-08 07:54 . 2010-01-08 07:54   --------   d-----w-   c:\program files\Trend Micro
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\the girl\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-08 07:27 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-08 02:20 . 2010-01-08 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com
2010-01-08 02:18 . 2010-01-08 02:18   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-08 00:47 . 2010-01-08 00:48   --------   d-----w-   c:\program files\CCleaner
2010-01-07 19:49 . 2010-01-07 20:44   --------   d-----w-   C:\$AVG
2010-01-07 19:49 . 2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-07 19:49 . 2010-01-07 19:49   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-07 19:49 . 2010-01-07 19:49   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-07 19:49 . 2010-01-07 19:49   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-07 19:49 . 2010-01-10 09:01   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-07 19:49 . 2010-01-07 20:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\program files\AVG
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-01-03 11:16 . 2010-01-03 11:16   --------   d-----w-   c:\documents and settings\FINANCE OFFICE\Local Settings\Application Data\Adobe
2009-12-29 14:31 . 2009-12-29 14:31   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2009-12-29 11:17 . 2009-12-29 11:17   --------   d-----w-   C:\found.000

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-10 18:04 . 2007-08-11 20:57   --------   d-----w-   c:\program files\LimeWire
2010-01-08 02:21 . 2010-01-08 02:21   52224   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-08 02:20 . 2010-01-08 02:20   117760   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-08 01:20 . 2007-08-11 21:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-07 23:57 . 2005-08-29 11:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-07 20:02 . 2009-07-17 17:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-01-07 20:02 . 2009-01-15 23:00   --------   d-----w-   c:\program files\Norton Security Scan
2010-01-07 18:18 . 2009-08-22 21:33   --------   d-----w-   c:\program files\DivX
2010-01-07 18:09 . 2007-08-11 21:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-07 17:41 . 2007-08-11 20:45   --------   d-----w-   c:\program files\AVPersonal
2010-01-07 12:52 . 2009-11-08 10:12   --------   d-----w-   c:\documents and settings\the girl\Application Data\U3
2010-01-07 12:22 . 2009-06-19 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-05 14:19 . 2005-08-29 10:57   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-05 14:16 . 2009-04-21 15:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kontiki
2009-12-30 23:31 . 2009-12-16 21:09   25600   ----a-w-   c:\documents and settings\the girl\Application Data\Macromedia\Common\fb03a04a19.exe
2009-12-29 14:35 . 2009-12-24 19:58   25600   ----a-w-   c:\documents and settings\LocalService\Application Data\Macromedia\Common\fb03a04a19.exe
2009-12-29 11:41 . 2009-12-22 20:38   25600   ----a-w-   c:\documents and settings\NetworkService\Application Data\Macromedia\Common\fb03a04a19.exe
2009-11-26 18:25 . 2009-11-26 18:25   --------   d-----w-   c:\program files\ ContentGenerator.net Fling the Teacher
2009-11-25 13:01 . 2010-01-07 20:00   1230080   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 14:37 . 2009-11-03 14:37   79144   -c--a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2004-08-10 11:51   832512   ------w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 11:51   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2004-08-10 11:51   270336   ----a-w-   c:\windows\system32\oakley.dll
2005-08-01 23:08 . 2007-08-11 20:43   13691401   -c--a-w-   c:\program files\PowerDVD6_trial_ENU.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
1999-07-07 00:00 . 2007-08-11 20:30   6   -csha-r-   c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01   1230080   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-01-29 2303216]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-18 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-07 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\the girl\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^the girl^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\the girl\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8983:TCP"= 8983:TCP:qtkoxvn

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/01/2010 19:49 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/01/2010 19:49 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [07/01/2010 19:48 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [05/10/2009 16:33 54752]
S2 taigdofai;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 11:51 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 lkvptpyxx;lkvptpyxx;\??\c:\windows\system32\01.tmp --> c:\windows\system32\01.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
taigdofai
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-10 18:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16?

?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lkvptpyxx]
"ImagePath"="\??\c:\windows\system32\01.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\taigdofai]
"ServiceDll"="c:\windows\system32\oxswx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(692)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3492)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\brss01a.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\windows\system32\rundll32.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-10 18:54:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-10 18:54
ComboFix2.txt 2010-01-10 11:58
ComboFix3.txt 2010-01-09 18:38

Pre-Run: 94,160,637,952 bytes free
Post-Run: 94,289,895,424 bytes free

- - End Of File - - AB52F353D01BB92E789C0391A138F638

____________________________________

C:\Documents and Settings\LocalService\Application Data\Macromedia\Common\fb03a04a19.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\fb03a04a19.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\Documents and Settings\the girl\Application Data\Macromedia\Common\fb03a04a19.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\Documents and Settings\the girl\My Documents\LimeWire\Saved\Florence & The Machine - Lungs - 02 - Rabbit Heart (Raise It Up).mp3   a variant of WMA/TrojanDownloader.GetCodec.gen trojan   cleaned - quarantined
C:\i386\GTDownDE_87.ocx   probably a variant of Win32/Adware.Agent application   cleaned by deleting - quarantined
C:\Program Files\DVDVideoSoft\Free Audio CD Burner\icon1045.exe   Win32/Adware.ADON application   deleted - quarantined
C:\Program Files\Tiscali\Tiscali Internet\dlls\InstallDialer.exe   a variant of Win32/Injector.AHE trojan   deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0026149.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP10\A0026157.dll   a variant of Win32/Riern.D trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP16\A0033451.exe   Win32/Adware.ADON application   deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0002018.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0003010.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0003020.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0003030.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP20\A0040803.ocx   probably a variant of Win32/Adware.Agent application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044233.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044234.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044235.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044236.ocx   probably a variant of Win32/Adware.Agent application   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044237.exe   Win32/Adware.ADON application   deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP23\A0044238.exe   a variant of Win32/Injector.AHE trojan   deleted - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0004030.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0004068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0005067.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0006068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0007068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0008068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0009068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0009073.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP4\A0010068.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0010071.exe   a variant of Win32/Riern.H trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\A0010072.dll   Win32/Riern.A trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP7\A0018132.dll   a variant of Win32/Riern.D trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0022153.dll   a variant of Win32/Riern.D trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0023149.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0024149.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP9\A0024154.exe   a variant of Win32/Riern.G trojan   cleaned by deleting - quarantined

SuperDave · « **Reply #5 on:** January 11, 2010, 07:52:15 PM »

Quote

Whilst I was doing that the ESET scan my AVG picked up some of the files too, is that ok or should I usually turn it off when im doing these scans?

No. I will notify you when you have to disable your AV and or Firewall such as when you run ComboFix.

I noticed in your HJT log that you are running a P2P file-sharing program (Limewire ) on your computer. While the program itself is probably safe, the files you download with this program are a major source of infections. Therefore, I strongly urge you to uninstall it.
As you can see from the ESET scan you were infected by one of those files you downloaded.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
C:\found.000

Driver::
lkvptpyxx

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

sputniked · « **Reply #6 on:** January 12, 2010, 05:56:26 AM »

gah sorry I'd unintalled limewire but forgot about the left over files.
Heres the log:

ComboFix 10-01-11.03 - the girl 12/01/2010 12:30:59.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.209 [GMT 0:00]
Running from: c:\documents and settings\the girl\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\the girl\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\file0000.chk
c:\windows\$NtUninstallKB922582$
c:\windows\$NtUninstallKB922582$\fltlib.dll
c:\windows\$NtUninstallKB922582$\fltmc.exe
c:\windows\$NtUninstallKB922582$\fltmgr.sys
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.exe
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.inf
c:\windows\$NtUninstallKB922582$\spuninst\spuninst.txt
c:\windows\$NtUninstallKB922582$\spuninst\updspapi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_lkvptpyxx

((((((((((((((((((((((((( Files Created from 2009-12-12 to 2010-01-12 )))))))))))))))))))))))))))))))
.

2010-01-10 19:01 . 2010-01-10 19:01   --------   d-----w-   c:\program files\ESET
2010-01-08 07:54 . 2010-01-08 07:54   --------   d-----w-   c:\program files\Trend Micro
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\the girl\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-08 07:27 . 2010-01-08 07:27   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-08 07:27 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-08 02:20 . 2010-01-08 02:20   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-01-08 02:19 . 2010-01-08 02:19   --------   d-----w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com
2010-01-08 02:18 . 2010-01-08 02:18   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-01-08 00:47 . 2010-01-08 00:48   --------   d-----w-   c:\program files\CCleaner
2010-01-07 19:49 . 2010-01-07 20:44   --------   d-----w-   C:\$AVG
2010-01-07 19:49 . 2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2010-01-07 19:49 . 2010-01-07 19:49   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2010-01-07 19:49 . 2010-01-07 19:49   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2010-01-07 19:49 . 2010-01-07 19:49   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2010-01-07 19:49 . 2010-01-12 10:28   --------   d-----w-   c:\windows\system32\drivers\Avg
2010-01-07 19:49 . 2010-01-07 20:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\program files\AVG
2010-01-07 19:48 . 2010-01-07 19:48   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\SDHelper (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-01-07 14:26 . 2010-01-07 14:26   --------   d-----w-   c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-01-03 11:16 . 2010-01-03 11:16   --------   d-----w-   c:\documents and settings\FINANCE OFFICE\Local Settings\Application Data\Adobe
2009-12-29 14:31 . 2009-12-29 14:31   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 02:21 . 2010-01-08 02:21   52224   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-01-08 02:20 . 2010-01-08 02:20   117760   ----a-w-   c:\documents and settings\the girl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-01-08 01:20 . 2007-08-11 21:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-07 23:57 . 2005-08-29 11:00   --------   d-----w-   c:\documents and settings\All Users\Application Data\Viewpoint
2010-01-07 20:02 . 2009-07-17 17:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Norton
2010-01-07 20:02 . 2009-01-15 23:00   --------   d-----w-   c:\program files\Norton Security Scan
2010-01-07 18:18 . 2009-08-22 21:33   --------   d-----w-   c:\program files\DivX
2010-01-07 18:09 . 2007-08-11 21:03   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-01-07 17:41 . 2007-08-11 20:45   --------   d-----w-   c:\program files\AVPersonal
2010-01-07 12:52 . 2009-11-08 10:12   --------   d-----w-   c:\documents and settings\the girl\Application Data\U3
2010-01-07 12:22 . 2009-06-19 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-05 14:19 . 2005-08-29 10:57   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-05 14:16 . 2009-04-21 15:57   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kontiki
2009-11-26 18:25 . 2009-11-26 18:25   --------   d-----w-   c:\program files\ ContentGenerator.net Fling the Teacher
2009-11-25 13:01 . 2010-01-07 20:00   1230080   ----a-w-   c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-11-03 14:37 . 2009-11-03 14:37   79144   -c--a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-29 07:46 . 2004-08-10 11:51   832512   ------w-   c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 11:51   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 11:50   17408   ----a-w-   c:\windows\system32\corpol.dll
2009-10-21 05:38 . 2004-08-10 11:51   75776   ----a-w-   c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-10 11:51   25088   ----a-w-   c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-03 22:00   265728   ----a-w-   c:\windows\system32\drivers\http.sys
2005-08-01 23:08 . 2007-08-11 20:43   13691401   -c--a-w-   c:\program files\PowerDVD6_trial_ENU.exe
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
1999-07-07 00:00 . 2007-08-11 20:30   6   -csha-r-   c:\windows\@@desktop.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 13:01   1230080   ----a-w-   c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2005-04-22 290816]
"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 40960]
"SetDefPrt"="c:\program files\Brother\Brmfl04a\BrStDvPt.exe" [2004-05-25 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-07-20 851968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-01-29 2303216]
"Wireless Manager"="c:\program files\Virgin Broadband Wireless\Wireless Manager.exe" [2008-05-26 585728]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-18 198160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-07 2033432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\the girl\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-07 19:49   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^the girl^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\the girl\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8983:TCP"= 8983:TCP:qtkoxvn

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/01/2010 19:49 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/01/2010 19:49 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [07/01/2010 19:48 285392]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [05/10/2009 16:33 54752]
S2 taigdofai;Time Boot;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 11:51 14336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [05/08/2009 21:48 704864]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
taigdofai
.
Contents of the 'Scheduled Tasks' folder

2009-12-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2005-09-03 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-10 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 12:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16?

?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\taigdofai]
"ServiceDll"="c:\windows\system32\oxswx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2948)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\brss01a.exe
c:\program files\Virgin Broadband Wireless\AffinegyService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wscntfy.exe
c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe
c:\windows\system32\rundll32.exe
c:\program files\Digital Line Detect\DLG.exe
c:\program files\Virgin Broadband Wireless\ndis_events.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-01-12 12:53:04 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-12 12:53
ComboFix2.txt 2010-01-10 18:54
ComboFix3.txt 2010-01-10 11:58
ComboFix4.txt 2010-01-09 18:38

Pre-Run: 100,530,651,136 bytes free
Post-Run: 100,609,081,344 bytes free

- - End Of File - - AC3DE2901A7A39C7CF93C4BF8EA6AA4B

SuperDave · « **Reply #7 on:** January 13, 2010, 07:15:12 AM »

Download DeFogger by jpshortstuffand save it to your desktop.

* Double click DeFogger.exe to run the tool.
* The application window will appear.
* Click the Disable button to disable your CD Emulation drivers
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK.
* DeFogger will now ask to reboot the machine...click OK.

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

To re-enable your Emulation drivers, double click DeFogger to run the tool.

* The application window will appear.
* Click the Re-enable button to re-enable your CD Emulation drivers.
* Click Yes to continue.
* A 'Finished!' message will appear.
* Click OK
* DeFogger will now ask to reboot the machine, click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Download the MBR Rootkit Detector to your desktop.

* Doubleclick mbr.exe and follow prompts.
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log file to your next reply.

sputniked · « **Reply #8 on:** January 13, 2010, 10:52:02 AM »

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

SuperDave · « **Reply #9 on:** January 13, 2010, 01:05:45 PM »

Ok Re-enable your Emulation drivers as described in Reply #7. BTW, I never did see the log from ESET. Did you run it? If not, run it now and post the log. Also give me another HJT log.

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

sputniked · « **Reply #10 on:** January 14, 2010, 02:55:18 AM »

re-enabled

yup I posted the ESET Scan at the end of my 4th reply and you saw one of the files downloaded from limewire had infected my computer. But should I do another one anyways??

heres the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:51:03, on 14/01/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Virgin Broadband Wireless\ndis_events.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [Wireless Manager] "C:\Program Files\Virgin Broadband Wireless\Wireless Manager.exe" startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AffinegyService - Affinegy, Inc. - C:\Program Files\Virgin Broadband Wireless\AffinegyService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 10535 bytes

SuperDave · « **Reply #11 on:** January 14, 2010, 01:05:03 PM »

Quote

yup I posted the ESET Scan at the end of my 4th reply and you saw one of the files downloaded from limewire had infected my computer. But should I do another one anyways??

Ok. I just forgot. Too much on my plate. Your log looks clean. How's your computer running now?

sputniked · « **Reply #12 on:** January 14, 2010, 03:20:46 PM »

Sorry! thank you.
Still only having trouble with mozilla being exe. bad image.
Does that mean theres still a problem somewhere or??
Should I just uninstall it?

SuperDave · « **Reply #13 on:** January 15, 2010, 12:52:24 PM »

Quote

Still only having trouble with mozilla being exe. bad image.
Does that mean theres still a problem somewhere or??
Should I just uninstall it?

I'm not sure what you mean by exe. bad image. As you can see from all the scans we removed a lot of infections from the computer and I would have to say that it is clean as I can get it. Perhaps a fresh install of Mozilla Firefox would improve the situation.

sputniked · « **Reply #14 on:** January 17, 2010, 07:06:34 AM »

Whenever I try to run it, it still says:
The application of DLL C:\Program Files\Mozilla Firefox\xul.dll is not a valid Windows image. Please check this against your installation diskette.

but yeh I think Im just reinstall it.
Thank you so much for your help =)

Computer Hope Forum

News:

Author Topic: .exe Bad Image issue (Read 13708 times)

sputniked

.exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue

SuperDave

Re: .exe Bad Image issue

sputniked

Re: .exe Bad Image issue