Author Topic: corrupted exes (control.exe mmc.exe) (Read 17453 times)

freeforall · « **on:** February 09, 2010, 12:39:05 PM »

I don't know what virus I have, but every time I try to open the Add/Remove Programs it tells me that control.exe can't be opened. I ran Malwarebytes, it removed something called cleansweep, and I thought the problem was gone. Later on when I attempted to follow an online guide for modifying Remote Desktop (this took place after I realized something wasn't right with my computer, so its not the catalyst), I tried to open gpedit.msc and it told me that mmc.exe was missing a dll (MRoD.dll). I tested control.exe again, and that is also not working. So, I don't have any issue with pop ups or programs forcing me to buy them, but a whole bunch of essential exes dont seem to work right. Any insight as to what this is?

[Saving space, attachment deleted by admin]

evilfantasy · « **Reply #1 on:** February 09, 2010, 12:58:34 PM »

Hi.

Hopefully you can figure out a way to subscribe to this topic. A a BMN user you shouldn't add your email to your profile and therefore can't get the updates when I reply. I reply I would hope you are getting a notice so I don't end up wasting my time. It would be better if you created an account. This is a secure forum and we do not spam whatsoever. Besides using an open account isn't very secure IMHO.

Let me know what you think.

desudesu · « **Reply #2 on:** February 09, 2010, 06:03:44 PM »

Hey, thanks for the reply. I did create an account because I do find myself in need of malware assistance every so often.

evilfantasy · « **Reply #3 on:** February 09, 2010, 06:08:58 PM »

Thank you.

If you already have Malwarebytes be sure to update it before running the scan!

Download Malwarebytes' Anti-Malware (MBAM)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to the following:

* Update Malwarebytes' Anti-Malware
* Launch Malwarebytes' Anti-Malware

* Then click Finish
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.

----------

Next post please add:

Malwarebytes log
Both DDS logs

desudesu · « **Reply #4 on:** February 10, 2010, 11:51:56 AM »

Malwarebytes' Anti-Malware 1.44
Database version: 3717
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/10/2010 11:43:48 AM
mbam-log-2010-02-10 (11-43-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 321688
Time elapsed: 3 hour(s), 40 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 3/10/2003 10:48:56 AM
System Uptime: 2/7/2010 10:56:50 PM (46 hours ago)

Motherboard: Compaq | | 07E4h
Processor: Intel(R) Pentium(R) 4 CPU 2.66GHz | XU1 PROCESSOR | 2657/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 118.968 GiB free.
E: is CDROM ()
G: is CDROM ()
H: is FIXED (NTFS) - 932 GiB total, 670.86 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VM Network Connection
Device ID: PCI\VEN_8086&DEV_103B&SUBSYS_00120E11&REV_81\4&25296D99&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VM Network Connection
PNP Device ID: PCI\VEN_8086&DEV_103B&SUBSYS_00120E11&REV_81\4&25296D99&0&40F0
Service: E100B

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

7-Zip 4.65
AAC Decoder
ACID Pro 7.0
Acronis Migrate Easy
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.2
Adobe Shockwave Player 11.5
Advertising Center
AllToAVI v4 r5394
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft MediaImpression
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
Ares 2.1.2
Aspell English Dictionary-0.50-2
AutoUpdate
AVG 9.0
AviSynth 2.5
BitTyrant
Bonjour
Calculator Powertoy for Windows XP
CamStudio
CamStudio Lossless Codec
CCleaner
Combined Community Codec Pack 2009-09-09
DC++ 0.750
Dev-C++ 5 beta 9 release (4.9.9.2)
Digital Camera
DivX Codec
DivX Plus DirectShow Filters
DivX Plus Web Player
DivX Version Checker
DolbyFiles
DVD Flick 1.3.0.7
DVD Shrink 3.2
EA Download Manager
EA Download Manager UI
Fiesta
FreeMind
GIMP 2.6.7
GNU Aspell 0.50-3
GTK+ Runtime 2.14.7 rev a (remove only)
GUI Design Studio 3.6.95.0
Guifications Plugin (remove only)
H.264 Decoder
HandBrake 0.9.3
High-Logic FontCreator 6.0
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB954550-v5)
HP Standard Port Monitor
HyperCam 2
Image Resizer Powertoy for Windows XP
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
InterVideo DeviceService
iPodRip
iTunes
Java 2 Runtime Environment, SE v1.4.0_01
Java Web Start
Java(TM) 6 Update 3
Kazaa Lite K++ v2.4.3
KeyScrambler
LogMeIn Hamachi
Malwarebytes' Anti-Malware
MapleStory
MediaCoder 0.6.1
MEGA-DSC
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office XP Professional with FrontPage
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Miro
MKV Splitter
MKVtoolnix 2.9.8
Mozilla Firefox (3.5.7)
MUSTEK 1200 UB v2.1
Nero ControlCenter
Nero Installer
Nero Suite
NETGEAR WG111v2 wireless USB 2.0 adapter
Notepad++
Orbit
PeerGuardian 2.0
Pidgin
Pokemon PC 2.0
Project64 1.6
PurgeFox - 4.01
QuickTime
RGSS-RTP Standard
RPG Maker 2000 1.05
RPG Maker 2003 v1.08
RPG Maker VX 1.02
RPG Maker VX RTP
RPG Maker XP - Postality Knights Edition ENHANCED
RTP 1.32 Add-On for RM2k
RTP de RPG Maker 2003
RTP for RM2K (Png, Wav, Midi, Fonts)
save2pc Pro 3.51
Scenario RPGMaker 2003
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB972270)
Smart Install Maker 5.02
SoulSeek 157 NS 13e
SoundMAX
SUPER © Version 2009.bld.36 (June 10, 2009)
SUPERAntiSpyware Professional
TES Construction Set
The Sims™ 3
Torrent Searcher 9.0
TreeSize Free V2.3.3
TrueCrypt
Tweak UI
Unlocker 1.8.8
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976749)
VC80CRTRedist - 8.0.50727.4053
Videora iPod classic Converter 5.03
Videora Trial Version 2.15
VirtualDubMOD 1.5.10.3 US
VLC media player 1.0.3
VMware ThinApp
VobSub v2.23 (Remove Only)
Vuze
WebFldrs XP
Window Washer
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Support Tools
Windows XP Service Pack 3
WinFF 1.0.4
WinPcap 4.0
Xvid 1.2.2 final uninstall
XviD4PSP 5.0
Yahoo! Install Manager
Yahoo! Widgets

==== Event Viewer Messages From Past Week ========

2/9/2010 7:39:08 AM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer MOMLUVSDAD that believes that it is the master browser for the domain on transport NetBT_Tcpip_{5874CD5F-02BD-4F2. The master browser is stopping or an election is being forced.
2/9/2010 1:42:37 PM, information: Windows File Protection [64004] - The protected system file termsrv.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5512 The specific error code is 0x800b0100 [No signature was present in the subject. ].
2/7/2010 4:45:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2/7/2010 4:41:57 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm SASDIFSV SASKUTIL truecrypt
2/7/2010 4:41:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2/7/2010 10:18:22 PM, error: NetDDE [206] - Listen failed: 15:
2/7/2010 10:18:02 PM, error: NetDDE [206] - Listen failed: 23: The ncb_lana_num member did not specify a valid network number.
2/5/2010 7:02:51 AM, error: PSched [14103] - QoS [Adapter {5874CD5F-02BD-4F2C-8B14-55138A3A0C42}]: The netcard driver failed the query for OID_GEN_LINK_SPEED.
2/5/2010 11:57:12 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
2/5/2010 11:57:12 PM, error: Service Control Manager [7001] - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error: After starting, the service hung in a start-pending state.
2/5/2010 11:57:12 PM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: After starting, the service hung in a start-pending state.
2/5/2010 11:57:12 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/5/2010 11:50:40 PM, error: Service Control Manager [7000] - The npkcrypt service failed to start due to the following error: The system cannot find the path specified.
2/5/2010 1:24:33 PM, error: Service Control Manager [7034] - The Capture Device Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:32 PM, error: Service Control Manager [7034] - The Window Washer Engine service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:30 PM, error: Service Control Manager [7034] - The StarWind iSCSI Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:29 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:27 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:25 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:20 PM, error: Service Control Manager [7034] - The ArcSoft Connect Daemon service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:18 PM, error: Service Control Manager [7034] - The Network DDE service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:18 PM, error: Service Control Manager [7034] - The Network DDE DSDM service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:18 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:24:16 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Media Player Network Sharing Service service, but this action failed with the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2/5/2010 1:23:19 PM, error: Service Control Manager [7034] - The LogMeIn Hamachi 2.0 Tunneling Engine service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:23:19 PM, error: Service Control Manager [7034] - The B's Recorder GOLD Library General Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:23:18 PM, error: Service Control Manager [7034] - The WMDM PMSP Service service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:23:15 PM, error: Service Control Manager [7031] - The Windows Media Player Network Sharing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 30000 milliseconds: Restart the service.
2/5/2010 1:23:12 PM, error: Service Control Manager [7034] - The AVG E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:23:11 PM, error: Service Control Manager [7034] - The MBAMService service terminated unexpectedly. It has done this 1 time(s).
2/5/2010 1:23:11 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2/4/2010 11:03:49 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
2/4/2010 11:02:52 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
2/3/2010 5:49:46 AM, error: Dhcp [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 0023C32129DA. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
2/3/2010 5:49:09 AM, error: Service Control Manager [7000] - The LogMeIn Hamachi 2.0 Tunneling Engine service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
2/3/2010 5:49:08 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LogMeIn Hamachi 2.0 Tunneling Engine service to connect.
2/3/2010 1:34:15 PM, error: Srv [2011] - The server's configuration parameter "irpstacksize" is too small for the server to use a local device. Please increase the value of this parameter.

==== End Of File ===========================

DDS (Ver_09-12-01.01) - NTFSx86
Run by Alex at 20:24:37.98 on Tue 02/09/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.66 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\WINDOWS\system32\netdde.exe
C:\Program Files\AVG\AVG9\Identity Protection\agent\bin\avgidsmonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgfws9.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\AVG\AVG9\avgam.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Alex\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = file:///H:/dls/backup/lulz/Anon%20Party%20Hard/anon_partyhard30.swf
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 83.133.119.38:8080
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CKeyScramblerBHO Object: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {338B4DFE-2E2C-4338-9E41-E176D497299E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [cleansweep.exe] c:\cleansweep.exe\cleansweep.exe
mRun: [DrvLsnr] "c:\program files\analog devices\soundmax\DrvLsnr.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\orbit.lnk - c:\program files\orbitdownloader\orbitdm.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Download All with FlashGet - c:\documents and settings\Alex\my documents\random junk\programs\flashget\jc_all.htm
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\documents and settings\Alex\my documents\random junk\programs\flashget\jc_link.htm
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download FLV video content with IDM - c:\documents and settings\Alex\my documents\random junk\programs\internet download manager\IEGetVL.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - hxxp://office.microsoft.com/productupdates/content/opuc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37868.274537037
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Alex\applic~1\mozilla\firefox\profiles\um5wf9ps.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Alex\application data\mozilla\firefox\profiles\um5wf9ps.default\extensions\{81bf1d23-5f17-408d-ac6b-bd6df7caf670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Alex\application data\mozilla\firefox\profiles\um5wf9ps.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Alex\application data\mozilla\firefox\profiles\um5wf9ps.default\extensions\[email protected]\components\KeyScramblerIE.dll
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [2009-12-30 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-12-30 161800]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-30 333192]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-30 28424]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-30 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-12-30 906520]
R2 avg9wd;AVG WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-12-30 285392]
R2 avgfws9;AVG Firewall;c:\program files\avg\avg9\avgfws9.exe [2009-12-30 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\avg\avg9\identity protection\agent\bin\AVGIDSAgent.exe [2009-12-30 5832712]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2009-10-29 1074568]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-12-3 236368]
R2 StarWindService;StarWind iSCSI Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindService.exe [2005-4-1 217600]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-30 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-12-30 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-12-30 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\avg\avg9\identity protection\agent\driver\platform_xp\AVGIDSShim.sys [2009-12-30 25736]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2007-8-9 113896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-12-3 19160]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2009-12-12 272128]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2007-8-8 223128]
S0 gxal;gxal;c:\windows\system32\drivers\naaajasa.sys --> c:\windows\system32\drivers\naaajasa.sys [?]
S2 PowerManager;Power Manager;c:\windows\svchost.exe --> c:\windows\svchost.exe [?]
S3 aic32p;aic32p;\??\c:\windows\system32\drivers\ipfmpo.sys --> c:\windows\system32\drivers\ipfmpo.sys [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-30 30104]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [2001-1-2 19677]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [2007-12-8 15104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-11-29 627072]
S3 XDva281;XDva281;\??\c:\windows\system32\xdva281.sys --> c:\windows\system32\XDva281.sys [?]

=============== Created Last 30 ================

2010-02-09 19:20:17   0   d-----w-   c:\program files\Trend Micro
2010-02-05 18:21:23   0   d-----w-   c:\docume~1\Alex\applic~1\Subversion
2010-02-05 18:19:32   0   d-----w-   c:\program files\GUI Design Studio
2010-02-03 10:47:38   0   d-----w-   c:\program files\LogMeIn Hamachi
2010-01-29 21:12:58   0   d-----w-   C:\ProgramData
2010-01-29 21:12:58   0   d-----w-   c:\docume~1\alluse~1\applic~1\Electronic Arts
2010-01-29 21:08:44   447752   ----a-r-   c:\windows\system32\vp6vfw.dll
2010-01-29 21:08:40   0   d-----w-   c:\program files\Microsoft WSE
2010-01-28 04:50:22   22297   ----a-w-   c:\documents and settings\Alex\.recently-used.xbel
2010-01-27 01:03:39   0   d-----w-   c:\docume~1\alluse~1\applic~1\Kazaa
2010-01-27 00:27:38   0   d-----w-   c:\docume~1\Alex\applic~1\Kazaa Lite
2010-01-27 00:27:33   0   d-----w-   c:\program files\Kazaa Lite K++
2010-01-26 23:56:47   0   d-----w-   C:\My Shared Folder
2010-01-26 23:56:46   0   d-----w-   c:\program files\Torrent Searcher 9.0
2010-01-26 07:27:29   766   ----a-w-   c:\windows\DSC.ico
2010-01-26 07:27:29   7431   ----a-w-   c:\windows\Tw504b.src
2010-01-26 07:27:29   65536   ----a-w-   c:\windows\PCCam.exe
2010-01-26 07:27:29   515803   ----a-w-   c:\windows\system32\drivers\CA504bv.sys
2010-01-26 07:27:29   19456   ----a-w-   c:\windows\system32\Dext504b.ax
2010-01-26 07:27:29   14381   ----a-w-   c:\windows\Tw504b.ini
2010-01-26 07:27:29   131072   ----a-w-   c:\windows\system32\SP5X_32.DLL
2010-01-26 07:27:29   10986   ----a-w-   c:\windows\system32\drivers\Bulk504b.sys
2010-01-26 07:27:29   0   d-----w-   c:\windows\MEGA-DSC
2010-01-25 10:58:18   479056   ----a-w-   c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-24 17:23:47   0   d-----w-   c:\program files\Pidgin
2010-01-24 17:23:03   0   d-----w-   c:\program files\common files\GTK
2010-01-24 07:39:24   0   d-----w-   c:\docume~1\Alex\applic~1\NetMedia Providers
2010-01-24 06:51:35   0   d-----w-   c:\program files\Vstplugins
2010-01-24 06:51:04   0   d-----w-   c:\program files\Sony
2010-01-24 06:44:50   0   d-----w-   c:\program files\Sony Setup
2010-01-14 06:34:29   0   d-----w-   c:\program files\Yahoo!
2010-01-12 22:40:56   0   d-----w-   c:\docume~1\Alex\applic~1\AVG9
2010-01-11 02:34:12   0   d-----w-   c:\docume~1\alluse~1\applic~1\Azureus
2010-01-11 02:33:44   0   d-----w-   c:\docume~1\Alex\applic~1\Azureus
2010-01-11 02:28:53   0   d-----w-   c:\program files\Vuze

==================== Find3M ====================

2010-01-07 21:07:14   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07:04   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-12-30 20:51:34   25608   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-30 20:51:34   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-30 20:51:33   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-12-30 20:51:33   161800   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2009-12-30 20:51:24   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-12-30 20:49:18   50968   ----a-w-   c:\windows\system32\avgfwdx.dll
2009-12-30 20:49:18   30104   ----a-w-   c:\windows\system32\drivers\avgfwdx.sys
2009-12-30 09:22:29   223440   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2009-12-21 19:14:05   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-20 06:06:39   79416   ----a-w-   c:\windows\fonts\Becker-Bold.ttf
2009-12-20 06:06:39   55432   ----a-w-   c:\windows\fonts\Becker_Bold.ttf
2009-12-13 17:02:59   92594   ----a-w-   c:\windows\fonts\CCWiccanSansInt-Regular.PFB
2009-12-13 17:01:58   48972   ----a-w-   c:\windows\fonts\CCAltogetherOoky-Capitals.ttf
2009-12-13 17:00:58   60835   ----a-w-   c:\windows\fonts\CCExterminate-AllOfThem.PFB
2009-12-13 16:59:58   45876   ----a-w-   c:\windows\fonts\CCCutthroatInt-Regular.ttf
2009-12-12 22:46:12   21035   ----a-w-   c:\windows\system32\drivers\AegisP.sys
2009-12-09 18:57:52   306688   ----a-w-   c:\windows\IsUninst.exe
2009-12-08 23:33:17   2554   ----a-w-   c:\windows\system32\tmp.reg
2009-12-08 20:48:01   380928   ----a-w-   c:\windows\SynCor.exe
2009-12-08 20:48:01   299520   ----a-w-   c:\windows\uninst.exe
2009-12-05 17:02:33   45816   ----a-w-   c:\windows\fonts\euronymous-fo+st.ttf
2009-12-03 01:37:40   46504   ----a-w-   c:\windows\fonts\Formal_436_BT.ttf
2009-12-02 11:18:36   55324   ----a-w-   c:\windows\fonts\Cooper_Md_BT_Medium.ttf
2009-12-02 11:13:11   76000   ----a-w-   c:\windows\fonts\ANNA____.ttf
2009-11-30 01:08:17   507392   ----a-w-   c:\windows\system32\AutoPartNt.exe
2009-11-30 00:42:48   37888   ----a-w-   c:\windows\system32\setupnt.dll
2009-11-30 00:42:47   126976   ----a-w-   c:\windows\system32\snapapi.dll
2009-11-14 00:47:32   90112   ----a-w-   c:\windows\system32\dpl100.dll
2009-11-14 00:47:28   856064   ----a-w-   c:\windows\system32\divx_xx0c.dll
2009-11-14 00:47:28   856064   ----a-w-   c:\windows\system32\divx_xx07.dll
2009-11-14 00:47:28   847872   ----a-w-   c:\windows\system32\divx_xx0a.dll
2009-11-14 00:47:28   843776   ----a-w-   c:\windows\system32\divx_xx16.dll
2009-11-14 00:47:28   839680   ----a-w-   c:\windows\system32\divx_xx11.dll
2009-11-14 00:47:28   696320   ----a-w-   c:\windows\system32\DivX.dll
2006-05-03 09:06:54   163328   --sha-r-   c:\windows\system32\flvDX.dll
2009-08-23 00:35:38   952   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47:16   31232   --sh--r-   c:\windows\system32\msfDX.dll
2008-03-16 12:30:52   216064   --sha-r-   c:\windows\system32\nbDX.dll

============= FINISH: 20:27:47.01 ===============

evilfantasy · « **Reply #5 on:** February 10, 2010, 12:03:44 PM »

Your Java is out of date.

Older versions have vulnerabilities that malicious sites can use to infect your system.

First install the new Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close all browser windows before beginning the install.

Remove the old version(s)

Download JavaRa
* Unzip the file and open the JavaRa.exe
* Click Remove Older Versions
* JavaRa will search for and remove any outdated version of Java and remove any that are found.
* Click Additional Tasks
* Place a check next to Remove Useless JRE Files and click Go
* Exit JavaRa
* Delete the JavaRa files from the desktop

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Driver::
gxal
aic32p

DDS::
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
TB: {338B4DFE-2E2C-4338-9E41-E176D497299E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [cleansweep.exe] c:\cleansweep.exe\cleansweep.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

desudesu · « **Reply #6 on:** February 10, 2010, 02:24:37 PM »

ComboFix 10-02-10.01 - Alex 02/10/2010 15:40:14.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.101 [GMT -5:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\temp
c:\program files\temp\Admin.exe
c:\program files\temp\Message.ini
c:\program files\temp\MSG.INI
c:\program files\temp\MSG_CHS.INI
c:\program files\temp\MSG_CHT.INI
c:\program files\temp\MSG_KOR.INI
C:\Thumbs.db
c:\windows\patchw.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vm.exe
c:\windows\system32\WS2Fix.exe

Infected copy of c:\windows\system32\Drivers\atapi.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\atapi.sys

Infected copy of c:\windows\system32\mmc.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mmc.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AIC32P
-------\Legacy_POWERMANAGER
-------\Service_aic32p
-------\Service_gxal
-------\Service_PowerManager

((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 20:13 . 2010-02-10 20:13   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-09 19:20 . 2010-02-09 19:20   --------   d-----w-   c:\program files\Trend Micro
2010-02-09 18:50 . 2010-02-10 17:32   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Orbit
2010-02-07 21:47 . 2010-02-07 21:47   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-07 21:41 . 2010-02-07 21:41   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-02-06 05:08 . 2010-02-06 05:08   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-02-05 18:21 . 2010-02-05 18:21   --------   d-----w-   c:\documents and settings\Alex\Application Data\Subversion
2010-02-05 18:19 . 2010-02-05 18:20   --------   d-----w-   c:\program files\GUI Design Studio
2010-02-03 10:49 . 2010-02-09 22:11   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\LogMeIn Hamachi
2010-02-03 10:49 . 2010-02-10 21:00   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\LogMeIn Hamachi
2010-02-03 10:47 . 2010-02-03 10:47   --------   d-----w-   c:\program files\LogMeIn Hamachi
2010-01-29 21:12 . 2010-02-06 05:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-29 21:12 . 2010-01-29 21:12   --------   d-----w-   C:\ProgramData
2010-01-29 21:08 . 2008-09-04 20:11   447752   ----a-r-   c:\windows\system32\vp6vfw.dll
2010-01-29 21:08 . 2010-01-29 21:08   --------   d-----w-   c:\program files\Microsoft WSE
2010-01-29 20:49 . 2010-01-29 21:09   --------   d-----w-   c:\program files\Electronic Arts
2010-01-27 01:03 . 2010-01-27 01:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kazaa
2010-01-27 00:27 . 2010-01-27 00:27   --------   d-----w-   c:\documents and settings\Alex\Application Data\Kazaa Lite
2010-01-27 00:27 . 2010-01-27 00:27   --------   d-----w-   c:\program files\Kazaa Lite K++
2010-01-26 23:56 . 2010-01-26 23:56   --------   d-----w-   C:\My Shared Folder
2010-01-26 23:56 . 2010-01-26 23:59   --------   d-----w-   c:\program files\Torrent Searcher 9.0
2010-01-26 07:27 . 2010-01-26 07:27   --------   d-----w-   c:\windows\MEGA-DSC
2010-01-26 07:27 . 2002-10-21 16:37   515803   ----a-w-   c:\windows\system32\drivers\CA504bv.sys
2010-01-26 07:27 . 2002-09-27 15:34   65536   ----a-w-   c:\windows\PCCam.exe
2010-01-26 07:27 . 2002-07-25 16:19   10986   ----a-w-   c:\windows\system32\drivers\Bulk504b.sys
2010-01-26 07:27 . 2002-01-19 20:33   131072   ----a-w-   c:\windows\system32\SP5X_32.DLL
2010-01-25 10:58 . 2010-01-29 21:11   479056   ----a-w-   c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-24 17:23 . 2010-02-07 23:32   --------   d-----w-   c:\program files\Pidgin
2010-01-24 17:23 . 2010-01-24 17:23   --------   d-----w-   c:\program files\Common Files\GTK
2010-01-24 07:39 . 2010-01-24 07:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\NetMedia Providers
2010-01-24 07:39 . 2010-01-24 07:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\Publish Providers
2010-01-24 07:38 . 2010-01-24 07:38   --------   d-----w-   c:\documents and settings\Alex\Application Data\Sony
2010-01-24 07:34 . 2010-01-24 07:40   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\Sony
2010-01-24 06:51 . 2010-01-24 06:51   --------   d-----w-   c:\program files\Vstplugins
2010-01-24 06:51 . 2010-01-24 06:51   --------   d-----w-   c:\program files\Sony
2010-01-24 06:44 . 2010-01-24 06:44   --------   d-----w-   c:\program files\Sony Setup
2010-01-14 06:34 . 2010-01-14 06:34   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\Yahoo
2010-01-14 06:34 . 2010-01-14 06:35   --------   d-----w-   c:\program files\Yahoo!
2010-01-12 22:40 . 2010-01-12 22:40   --------   d-----w-   c:\documents and settings\Alex\Application Data\AVG9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 21:03 . 2007-04-29 04:21   --------   d-----w-   c:\documents and settings\Alex\Application Data\Orbit
2010-02-10 20:15 . 2008-01-04 21:35   --------   d-----w-   c:\program files\Common Files\Java
2010-02-10 20:12 . 2003-03-11 14:13   --------   d-----w-   c:\program files\Java
2010-02-10 17:19 . 2009-12-02 00:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\vlc
2010-02-10 16:43 . 2007-11-03 03:03   --------   d-----w-   c:\documents and settings\Alex\Application Data\.purple
2010-02-06 19:29 . 2009-07-17 02:50   --------   d-----w-   c:\documents and settings\Alex\Application Data\dvdcss
2010-02-03 09:30 . 2009-07-20 13:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\DVD Shrink
2010-02-03 09:29 . 2009-07-20 13:11   --------   d-----w-   c:\program files\DVD Shrink
2010-02-03 09:23 . 2007-08-11 15:44   --------   d-----w-   c:\documents and settings\Alex\Application Data\DVD Flick
2010-01-29 20:49 . 2003-03-10 15:01   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-28 03:08 . 2007-11-04 03:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\gtk-2.0
2010-01-25 10:58 . 2007-03-26 02:50   8224   -c--a-w-   c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 10:50 . 2010-01-11 02:33   --------   d-----w-   c:\documents and settings\Alex\Application Data\Azureus
2010-01-23 03:38 . 2009-08-11 01:10   --------   d-----w-   c:\documents and settings\Alex\Application Data\Audacity
2010-01-20 08:21 . 2009-12-15 05:53   --------   d-----w-   c:\documents and settings\Alex\Application Data\BitTyrant
2010-01-12 10:01 . 2009-12-04 02:44   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-11 02:34 . 2010-01-11 02:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Azureus
2010-01-11 02:30 . 2010-01-11 02:28   --------   d-----w-   c:\program files\Vuze
2010-01-09 17:06 . 2010-01-09 17:06   --------   d-----w-   c:\program files\VMware
2010-01-07 21:07 . 2009-12-04 02:44   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-04 02:44   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-03 06:13 . 2010-01-03 06:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\Participatory Culture Foundation
2010-01-03 06:11 . 2010-01-03 06:11   --------   d-----w-   c:\program files\Combined Community Codec Pack
2010-01-03 06:11 . 2010-01-03 06:11   --------   d-----w-   c:\program files\Participatory Culture Foundation
2010-01-03 06:03 . 2009-12-28 04:10   --------   d-----w-   c:\program files\Aegisub
2010-01-03 02:28 . 2010-01-03 02:25   --------   d-----w-   c:\program files\Common Files\ArcSoft
2010-01-03 02:28 . 2010-01-03 02:24   --------   d-----w-   c:\program files\ArcSoft
2010-01-03 02:27 . 2010-01-03 02:26   --------   d-----w-   c:\documents and settings\Alex\Application Data\ArcSoft
2010-01-03 02:27 . 2010-01-03 02:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\ArcSoft
2010-01-02 06:56 . 2009-08-21 20:18   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\gtk-2.0
2010-01-02 03:14 . 2010-01-02 03:14   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Orbit
2010-01-01 20:34 . 2010-01-01 20:33   --------   d-----w-   c:\program files\P2PChan
2010-01-01 18:34 . 2009-08-10 07:30   --------   d-----w-   c:\program files\Unlocker
2009-12-31 16:50 . 2001-08-23 12:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-31 05:07 . 2008-05-25 15:50   --------   d-----w-   c:\program files\MediaCoder
2009-12-30 21:53 . 2009-12-30 20:17   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-30 20:51 . 2009-12-30 20:51   25608   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-30 20:51 . 2009-12-30 20:51   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-30 20:51 . 2009-12-30 20:51   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-12-30 20:51 . 2009-12-30 20:51   161800   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2009-12-30 20:51 . 2009-12-30 20:51   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-12-30 20:51 . 2009-12-30 20:51   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-12-30 20:49 . 2009-12-30 20:49   50968   ----a-w-   c:\windows\system32\avgfwdx.dll
2009-12-30 20:49 . 2009-12-30 20:49   30104   ----a-w-   c:\windows\system32\drivers\avgfwdx.sys
2009-12-30 20:49 . 2009-12-30 20:49   --------   d-----w-   c:\program files\AVG
2009-12-30 20:49 . 2009-12-30 20:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-30 19:56 . 2009-11-07 21:11   --------   d-----w-   c:\program files\CCleaner
2009-12-30 19:30 . 2009-11-08 03:46   --------   d-----w-   c:\documents and settings\Alex\Application Data\TrueCrypt
2009-12-30 09:22 . 2009-12-30 09:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\TrueCrypt
2009-12-30 09:22 . 2009-11-07 20:51   223440   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2009-12-30 01:46 . 2007-07-18 20:31   --------   d-----w-   c:\documents and settings\Alex\Application Data\DMCache
2009-12-29 16:41 . 2009-08-25 02:42   --------   d-----w-   c:\documents and settings\Alex\Application Data\WinFF
2009-12-29 14:19 . 2009-12-13 06:29   --------   d-----w-   c:\program files\Xvid
2009-12-29 05:05 . 2009-12-29 05:05   --------   d-----w-   c:\program files\eRightSoft
2009-12-28 07:47 . 2007-08-10 20:32   --------   d-----w-   c:\program files\DVD Flick
2009-12-28 07:36 . 2009-07-20 11:44   --------   d-----w-   c:\program files\Common Files\Webroot Shared
2009-12-28 04:10 . 2009-12-28 04:10   --------   d-----w-   c:\documents and settings\Alex\Application Data\Aegisub
2009-12-28 03:59 . 2007-06-23 18:03   --------   d-----w-   c:\documents and settings\Alex\Application Data\uTorrent
2009-12-27 06:48 . 2009-12-14 11:46   1620552   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-27 05:21 . 2009-12-27 05:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Speed Soft
2009-12-26 03:13 . 2009-12-26 03:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\JAM Software
2009-12-23 05:59 . 2009-12-23 05:58   --------   d-----w-   c:\program files\VirtualDubMOD
2009-12-22 16:48 . 2009-12-15 22:28   --------   d-----w-   c:\program files\MP3Gain
2009-12-21 19:14 . 2003-03-10 21:03   916480   ----a-w-   c:\windows\system32\wininet.dll
2009-12-21 14:20 . 2009-12-21 14:20   --------   d-----w-   c:\documents and settings\Alex\Application Data\Obsidium
2009-12-21 11:31 . 2009-12-21 11:31   --------   d-----w-   c:\program files\FDRLab
2009-12-18 07:01 . 2009-12-18 07:01   --------   d-----w-   c:\program files\Outspark
2009-12-17 05:22 . 2007-04-04 01:57   --------   d-----w-   c:\program files\DivX
2009-12-17 05:22 . 2009-12-17 05:21   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-16 18:43 . 2003-03-10 21:00   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 02:55 . 2009-12-15 05:53   --------   d-----w-   c:\program files\BitTyrant
2009-12-16 00:03 . 2009-12-16 00:03   --------   d-----w-   c:\program files\JAM Software
2009-12-14 07:08 . 2001-08-23 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-13 22:44 . 2009-12-13 22:33   --------   d-----w-   c:\program files\Winnydows
2009-12-13 06:41 . 2009-12-13 06:40   --------   d-----w-   c:\program files\StaxRip
2009-12-13 06:28 . 2009-07-19 00:09   --------   d-----w-   c:\program files\AviSynth 2.5
2009-12-13 04:56 . 2009-12-13 04:56   --------   d-----w-   c:\documents and settings\All Users\Application Data\Soulseek
2009-12-13 04:55 . 2009-12-03 02:31   --------   d-----w-   c:\documents and settings\Alex\Application Data\DC++
2009-12-12 22:46 . 2009-12-12 22:46   21035   ----a-w-   c:\windows\system32\drivers\AegisP.sys
2009-12-12 22:46 . 2009-12-12 22:46   --------   d-----w-   c:\program files\NETGEAR
2009-12-09 18:57 . 2009-12-09 18:57   306688   ----a-w-   c:\windows\IsUninst.exe
2009-12-08 20:48 . 2009-12-08 20:48   299520   ----a-w-   c:\windows\uninst.exe
2009-12-08 20:48 . 2009-12-08 20:48   380928   ----a-w-   c:\windows\SynCor.exe
2009-12-08 19:27 . 2001-08-23 12:00   2189184   ----a-w-   c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2001-08-17 13:48   2066048   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2001-08-23 12:00   455424   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2009-11-30 01:08 . 2009-11-30 01:08   507392   ----a-w-   c:\windows\system32\AutoPartNt.exe
2009-11-30 00:42 . 2009-11-30 00:42   37888   ----a-w-   c:\windows\system32\setupnt.dll
2009-11-30 00:42 . 2009-11-30 00:42   82464   ----a-w-   c:\windows\system32\drivers\snapman.sys
2009-11-30 00:42 . 2009-11-30 00:42   126976   ----a-w-   c:\windows\system32\snapapi.dll
2009-11-27 17:11 . 2003-12-28 19:17   17920   ----a-w-   c:\windows\system32\msyuv.dll
2009-11-27 17:11 . 2003-12-28 19:17   1291776   ----a-w-   c:\windows\system32\quartz.dll
2009-11-27 16:07 . 2001-08-23 12:00   28672   ----a-w-   c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-17 22:36   8704   ----a-w-   c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2003-03-10 21:00   11264   ----a-w-   c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2003-03-10 20:56   84992   ----a-w-   c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2001-08-17 22:36   48128   ----a-w-   c:\windows\system32\iyuv_32.dll
2006-05-03 09:06 . 2009-07-20 18:12   163328   --sha-r-   c:\windows\system32\flvDX.dll
2009-08-23 00:35 . 2009-07-18 01:03   952   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2009-12-29 05:06   31232   --sh--r-   c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-12-28 05:58   216064   --sha-r-   c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-05-18 . 56F4867BAE6FD78E5365A3A7AFA59C82 . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-05-18 . 56F4867BAE6FD78E5365A3A7AFA59C82 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2009-12-28 1201152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-04-20 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2007-8-9 1667072]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-30 20:32   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-30 20:51   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-12-08 20:44   136192   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\dls\\romz\\emuz\\VisualBoyAdvance\\VisualBoyAdvance.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Ares\\chatServer.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTyrant\\Azureus.exe"=
"c:\\Program Files\\Webroot\\Washer\\wwDisp.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\eRightSoft\\SUPER\\SUPER.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Unlocker\\UnlockerAssistant.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [12/30/2009 3:51 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/30/2009 3:51 PM 161800]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/4/2007 12:29 PM 685816]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/30/2009 3:51 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/30/2009 3:51 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/30/2009 3:50 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/30/2009 3:50 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [12/30/2009 3:50 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [12/30/2009 3:50 PM 5832712]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 12:27 PM 1074568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2009 9:44 PM 236368]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [7/20/2009 6:44 AM 598856]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/30/2009 3:49 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [12/30/2009 3:50 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [12/30/2009 3:50 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [12/30/2009 3:50 PM 25736]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [8/9/2007 4:43 PM 113896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2009 9:44 PM 19160]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/12/2009 5:46 PM 272128]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [8/8/2007 6:35 AM 223128]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/30/2009 3:49 PM 30104]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [1/2/2001 11:53 PM 19677]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 12:31 PM 42000]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [12/8/2007 12:20 PM 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [11/29/2009 10:41 AM 627072]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\Malwarebytes' Scheduled Update for Alex.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-09 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///H:/dls/backup/lulz/Anon%20Party%20Hard/anon_partyhard30.swf
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 83.133.119.38:8080
IE: &Download All with FlashGet - c:\documents and settings\Alex\My Documents\Random Junk\Programs\FlashGet\jc_all.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\documents and settings\Alex\My Documents\Random Junk\Programs\FlashGet\jc_link.htm
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download FLV video content with IDM - c:\documents and settings\Alex\My Documents\Random Junk\Programs\Internet Download Manager\IEGetVL.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\[email protected]\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
AddRemove-HP Standard Port Monitor - c:\program files\Hewlett-Packard\HP Standard Port Monitor\Uninst.isu
AddRemove-RTP - c:\program files\ASCII\RPG Maker 2003\RTP2\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 16:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8338C8AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf886af28
\Driver\ACPI -> ACPI.sys @ 0xf86dbcb8
\Driver\atapi -> atapi.sys @ 0xf8670b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1252)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3796)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Orbitdownloader\orbitnet.exe
.
**************************************************************************
.
Completion time: 2010-02-10 16:19:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 21:19

Pre-Run: 131,014,467,584 bytes free
Post-Run: 131,102,572,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 8E4CA6C6ECEEAF982CBAD80F99CEB77C

control.exe still wont open properly

evilfantasy · « **Reply #7 on:** February 10, 2010, 03:18:30 PM »

Suspicious file scan

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\system32\termsrv.dll* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.

----------

Download Rooter.exe to your desktop.

* Double click Rooter.exe to start the tool.
* A DOS window will appear and show the scan progress.
* Once complete a notepad file containing the report will open.
* Copy & paste the results in your next reply.
* Close notepad and Rooter will close.

A log will also save at C:\Rooter.txt

----------

Please download SystemLook from one of the below links and save it to your desktop.

Link #1
Link #2

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

* Double-click SystemLook.exe to run it.
* Copy the contents of the following codebox into the main textfield.

Code: [Select]

:filefind
control.exe

* Click the Look button to start the scan.
* Note: The scan may take some time so please just let it do its work and be patient (or do something else unrelated to the computer).
* When finished, a notepad window will open with the results of the scan. Please post the log.

The log can also be found on your desktop entitled SystemLook.txt

desudesu · « **Reply #8 on:** February 10, 2010, 03:40:12 PM »

http://virusscan.jotti.org/en/scanresult/0663266c49f1f2e26f95a158057ef980252cb626/de634f82628724248ed5d969856b86d2ba830f65

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 15 Model 2 Stepping 7, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.5.7 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:232 Go - Free:122 Go )
E:\ [CD_Rom]
G:\ [CD_Rom]
H:\ [Fixed-NTFS] .. ( Total:931 Go - Free:672 Go )
.
Scan : 17:30.12
Path : C:\Documents and Settings\Alex\Desktop\Rooter.exe
User : Alex ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (828)
______ \??\C:\WINDOWS\system32\csrss.exe (1228)
______ \??\C:\WINDOWS\system32\winlogon.exe (1252)
______ C:\WINDOWS\system32\services.exe (1296)
______ C:\WINDOWS\system32\lsass.exe (1308)
______ C:\WINDOWS\system32\svchost.exe (1480)
______ C:\WINDOWS\system32\svchost.exe (1548)
______ C:\WINDOWS\System32\svchost.exe (288)
______ C:\WINDOWS\System32\svchost.exe (368)
______ C:\Program Files\AVG\AVG9\avgchsvx.exe (456)
______ C:\Program Files\AVG\AVG9\avgrsx.exe (464)
______ C:\WINDOWS\system32\svchost.exe (544)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (764)
______ C:\WINDOWS\system32\spoolsv.exe (1604)
Locked AVGIDSAgent.exe (1644)
______ C:\WINDOWS\System32\svchost.exe (1820)
______ C:\WINDOWS\system32\netdde.exe (1860)
______ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (796)
Locked avgwdsvc.exe (856)
Locked avgfws9.exe (668)
______ C:\WINDOWS\system32\bgsvcgen.exe (1040)
______ C:\Program Files\Bonjour\mDNSResponder.exe (1076)
______ C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe (1156)
______ C:\Program Files\LogMeIn Hamachi\hamachi-2.exe (1652)
Locked avgam.exe (1132)
______ C:\WINDOWS\System32\svchost.exe (1880)
______ C:\Program Files\Java\jre6\bin\jqs.exe (2036)
______ C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (2252)
______ C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe (2968)
______ C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (3364)
______ C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (3804)
______ C:\WINDOWS\System32\svchost.exe (2296)
______ C:\WINDOWS\System32\MsPMSPSv.exe (2348)
______ C:\Program Files\Webroot\Washer\WasherSvc.exe (2392)
______ C:\Program Files\Windows Media Player\WMPNetwk.exe (2988)
______ C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (3420)
______ C:\WINDOWS\system32\hkcmd.exe (2628)
______ C:\Program Files\Unlocker\UnlockerAssistant.exe (2424)
______ C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (4028)
______ C:\Program Files\Common Files\Java\Java Update\jusched.exe (2268)
______ C:\Program Files\Webroot\Washer\wwDisp.exe (3260)
______ C:\Program Files\Orbitdownloader\orbitdm.exe (2896)
______ C:\Program Files\Orbitdownloader\orbitnet.exe (1680)
______ C:\WINDOWS\explorer.exe (3796)
______ C:\Program Files\Mozilla Firefox\firefox.exe (2548)
______ C:\Program Files\AVG\AVG9\avgemc.exe (2064)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (2996)
______ C:\Program Files\AVG\AVG9\avgnsx.exe (2508)
______ C:\Program Files\AVG\AVG9\avgcsrvx.exe (1408)
______ C:\WINDOWS\system32\notepad.exe (3772)
______ C:\Documents and Settings\Alex\Desktop\Rooter.exe (2524)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:250056221184)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\Malwarebytes' Scheduled Update for Alex.job
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
.
----------------------\\ Scan completed at 17:32.05
.
C:\Rooter$\Rooter_1.txt - (10/02/2010 | 17:32.05).c

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 17:34 on 10/02/2010 by Alex (Administrator - Elevation successful)

========== filefind ==========

Searching for "control.exe"
C:\WINDOWS\system32\control.exe --a--- 77824 bytes [12:00 23/08/2001] [12:00 23/08/2001] 1B2DE306FEC245B54340ADEF6AF3A460
C:\WINDOWS\system32\dllcache\control.exe --a--c 8192 bytes [12:00 23/08/2001] [12:00 23/08/2001] 4C6785E3D2E45EE87CB995190A0C7737

-=End Of File=-

evilfantasy · « **Reply #9 on:** February 10, 2010, 03:46:13 PM »

Scan this file at Jotti and post the link to the results.

C:\WINDOWS\system32\control.exe

desudesu · « **Reply #10 on:** February 10, 2010, 03:53:08 PM »

http://virusscan.jotti.org/en/scanresult/d8b344f1308fb523d6e57e18e8116d5db04805a5

Most of the scanners seem to think I have sality or some variant of it (which is strange, considering I got rid of Sality.AA about 4 months ago)

evilfantasy · « **Reply #11 on:** February 10, 2010, 04:01:14 PM »

You didn't get rid of all of it. Sality is very hard to cure and often takes a complete reformat and reinstall to get rid of it.

Let's see if this will work.

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

SkipFix::

FCopy::
C:\WINDOWS\system32\dllcache\control.exe | C:\WINDOWS\system32\control.exe

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

desudesu · « **Reply #12 on:** February 10, 2010, 04:56:59 PM »

ComboFix 10-02-10.01 - Alex 02/10/2010 18:20:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.127 [GMT -5:00]
Running from: c:\documents and settings\Alex\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Alex\Desktop\CFScript.txt
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\control.exe --> c:\windows\system32\control.exe
.
((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 22:30 . 2010-02-10 22:32   --------   d-----w-   C:\Rooter$
2010-02-10 20:13 . 2010-02-10 20:13   411368   ----a-w-   c:\windows\system32\deploytk.dll
2010-02-09 19:20 . 2010-02-09 19:20   --------   d-----w-   c:\program files\Trend Micro
2010-02-09 18:50 . 2010-02-10 17:32   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Orbit
2010-02-07 21:47 . 2010-02-07 21:47   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-07 21:41 . 2010-02-07 21:41   --------   d-sh--w-   c:\documents and settings\Administrator\IETldCache
2010-02-06 05:08 . 2010-02-06 05:08   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-02-05 18:21 . 2010-02-05 18:21   --------   d-----w-   c:\documents and settings\Alex\Application Data\Subversion
2010-02-05 18:19 . 2010-02-05 18:20   --------   d-----w-   c:\program files\GUI Design Studio
2010-02-03 10:49 . 2010-02-09 22:11   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\LogMeIn Hamachi
2010-02-03 10:49 . 2010-02-10 23:26   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\LogMeIn Hamachi
2010-02-03 10:47 . 2010-02-03 10:47   --------   d-----w-   c:\program files\LogMeIn Hamachi
2010-01-29 21:12 . 2010-02-06 05:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-29 21:12 . 2010-01-29 21:12   --------   d-----w-   C:\ProgramData
2010-01-29 21:08 . 2008-09-04 20:11   447752   ----a-r-   c:\windows\system32\vp6vfw.dll
2010-01-29 21:08 . 2010-01-29 21:08   --------   d-----w-   c:\program files\Microsoft WSE
2010-01-29 20:49 . 2010-01-29 21:09   --------   d-----w-   c:\program files\Electronic Arts
2010-01-27 01:03 . 2010-01-27 01:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kazaa
2010-01-27 00:27 . 2010-01-27 00:27   --------   d-----w-   c:\documents and settings\Alex\Application Data\Kazaa Lite
2010-01-27 00:27 . 2010-01-27 00:27   --------   d-----w-   c:\program files\Kazaa Lite K++
2010-01-26 23:56 . 2010-01-26 23:56   --------   d-----w-   C:\My Shared Folder
2010-01-26 23:56 . 2010-01-26 23:59   --------   d-----w-   c:\program files\Torrent Searcher 9.0
2010-01-26 07:27 . 2010-01-26 07:27   --------   d-----w-   c:\windows\MEGA-DSC
2010-01-26 07:27 . 2002-10-21 16:37   515803   ----a-w-   c:\windows\system32\drivers\CA504bv.sys
2010-01-26 07:27 . 2002-09-27 15:34   65536   ----a-w-   c:\windows\PCCam.exe
2010-01-26 07:27 . 2002-07-25 16:19   10986   ----a-w-   c:\windows\system32\drivers\Bulk504b.sys
2010-01-26 07:27 . 2002-01-19 20:33   131072   ----a-w-   c:\windows\system32\SP5X_32.DLL
2010-01-25 10:58 . 2010-01-29 21:11   479056   ----a-w-   c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-24 17:23 . 2010-02-07 23:32   --------   d-----w-   c:\program files\Pidgin
2010-01-24 17:23 . 2010-01-24 17:23   --------   d-----w-   c:\program files\Common Files\GTK
2010-01-24 07:39 . 2010-01-24 07:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\NetMedia Providers
2010-01-24 07:39 . 2010-01-24 07:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\Publish Providers
2010-01-24 07:38 . 2010-01-24 07:38   --------   d-----w-   c:\documents and settings\Alex\Application Data\Sony
2010-01-24 07:34 . 2010-01-24 07:40   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\Sony
2010-01-24 06:51 . 2010-01-24 06:51   --------   d-----w-   c:\program files\Vstplugins
2010-01-24 06:51 . 2010-01-24 06:51   --------   d-----w-   c:\program files\Sony
2010-01-24 06:44 . 2010-01-24 06:44   --------   d-----w-   c:\program files\Sony Setup
2010-01-14 06:34 . 2010-01-14 06:34   --------   d-----w-   c:\documents and settings\Alex\Local Settings\Application Data\Yahoo
2010-01-14 06:34 . 2010-01-14 06:35   --------   d-----w-   c:\program files\Yahoo!
2010-01-12 22:40 . 2010-01-12 22:40   --------   d-----w-   c:\documents and settings\Alex\Application Data\AVG9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 23:25 . 2007-04-29 04:21   --------   d-----w-   c:\documents and settings\Alex\Application Data\Orbit
2010-02-10 20:15 . 2008-01-04 21:35   --------   d-----w-   c:\program files\Common Files\Java
2010-02-10 20:14 . 2010-02-10 20:14   348160   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-221e8639-n\msvcr71.dll
2010-02-10 20:14 . 2010-02-10 20:14   503808   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-221e8639-n\msvcp71.dll
2010-02-10 20:14 . 2010-02-10 20:14   61440   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-50e0af3d-n\decora-sse.dll
2010-02-10 20:14 . 2010-02-10 20:14   499712   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-221e8639-n\jmc.dll
2010-02-10 20:14 . 2010-02-10 20:14   12800   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-50e0af3d-n\decora-d3d.dll
2010-02-10 20:12 . 2003-03-11 14:13   --------   d-----w-   c:\program files\Java
2010-02-10 17:19 . 2009-12-02 00:39   --------   d-----w-   c:\documents and settings\Alex\Application Data\vlc
2010-02-10 16:43 . 2007-11-03 03:03   --------   d-----w-   c:\documents and settings\Alex\Application Data\.purple
2010-02-10 16:41 . 2010-02-10 16:41   1791   ----a-w-   c:\documents and settings\Alex\Application Data\.purple\certificates\x509\tls_peers\bos.oscar.aol.com
2010-02-10 16:41 . 2010-02-10 16:41   1505   ----a-w-   c:\documents and settings\Alex\Application Data\.purple\certificates\x509\tls_peers\slogin.oscar.aol.com
2010-02-10 03:42 . 2010-02-10 03:42   1691   ----a-w-   c:\documents and settings\Alex\Application Data\.purple\certificates\x509\tls_peers\api.screenname.aol.com
2010-02-06 19:29 . 2009-07-17 02:50   --------   d-----w-   c:\documents and settings\Alex\Application Data\dvdcss
2010-02-06 05:00 . 2010-02-06 05:09   38784   ----a-w-   c:\documents and settings\Alex\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-06 05:00 . 2010-02-06 05:09   38784   ----a-w-   c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-03 09:30 . 2009-07-20 13:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\DVD Shrink
2010-02-03 09:29 . 2009-07-20 13:11   --------   d-----w-   c:\program files\DVD Shrink
2010-02-03 09:23 . 2007-08-11 15:44   --------   d-----w-   c:\documents and settings\Alex\Application Data\DVD Flick
2010-01-29 21:08 . 2010-01-29 21:08   10134   ----a-r-   c:\documents and settings\Alex\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-01-29 20:49 . 2003-03-10 15:01   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-01-28 03:08 . 2007-11-04 03:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\gtk-2.0
2010-01-25 19:32 . 2010-02-08 02:57   114360   ----a-w-   c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
2010-01-25 10:58 . 2007-03-26 02:50   8224   -c--a-w-   c:\documents and settings\Alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-25 10:50 . 2010-01-11 02:33   --------   d-----w-   c:\documents and settings\Alex\Application Data\Azureus
2010-01-23 03:38 . 2009-08-11 01:10   --------   d-----w-   c:\documents and settings\Alex\Application Data\Audacity
2010-01-20 08:21 . 2009-12-15 05:53   --------   d-----w-   c:\documents and settings\Alex\Application Data\BitTyrant
2010-01-14 21:28 . 2010-01-27 16:20   1260800   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-01-14 21:28 . 2010-01-27 16:20   3777280   ----a-w-   c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-01-12 10:01 . 2009-12-04 02:44   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-01-12 10:00 . 2009-12-13 10:01   5115824   ----a-w-   c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-01-11 02:34 . 2010-01-11 02:34   --------   d-----w-   c:\documents and settings\All Users\Application Data\Azureus
2010-01-11 02:30 . 2010-01-11 02:28   --------   d-----w-   c:\program files\Vuze
2010-01-09 17:06 . 2010-01-09 17:06   --------   d-----w-   c:\program files\VMware
2010-01-07 21:07 . 2009-12-04 02:44   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 21:07 . 2009-12-04 02:44   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-01-03 06:13 . 2010-01-03 06:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\Participatory Culture Foundation
2010-01-03 06:11 . 2010-01-03 06:11   --------   d-----w-   c:\program files\Combined Community Codec Pack
2010-01-03 06:11 . 2010-01-03 06:11   --------   d-----w-   c:\program files\Participatory Culture Foundation
2010-01-03 06:03 . 2009-12-28 04:10   --------   d-----w-   c:\program files\Aegisub
2010-01-03 02:28 . 2010-01-03 02:25   --------   d-----w-   c:\program files\Common Files\ArcSoft
2010-01-03 02:28 . 2010-01-03 02:24   --------   d-----w-   c:\program files\ArcSoft
2010-01-03 02:27 . 2010-01-03 02:26   --------   d-----w-   c:\documents and settings\Alex\Application Data\ArcSoft
2010-01-03 02:27 . 2010-01-03 02:26   --------   d-----w-   c:\documents and settings\All Users\Application Data\ArcSoft
2010-01-02 06:56 . 2009-08-21 20:18   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\gtk-2.0
2010-01-02 03:14 . 2010-01-02 03:14   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Orbit
2010-01-01 20:34 . 2010-01-01 20:33   --------   d-----w-   c:\program files\P2PChan
2010-01-01 18:34 . 2009-08-10 07:30   --------   d-----w-   c:\program files\Unlocker
2009-12-31 16:50 . 2001-08-23 12:00   353792   ----a-w-   c:\windows\system32\drivers\srv.sys
2009-12-31 08:51 . 2009-12-30 20:35   79488   ----a-w-   c:\documents and settings\Alex\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-31 05:14 . 2009-12-30 20:28   52224   ----a-w-   c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2009-12-31 05:14 . 2009-12-30 20:20   117760   ----a-w-   c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-12-31 05:07 . 2008-05-25 15:50   --------   d-----w-   c:\program files\MediaCoder
2009-12-30 21:53 . 2009-12-30 20:17   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-12-30 20:51 . 2009-12-30 20:51   25608   ----a-w-   c:\windows\system32\drivers\AVGIDSxx.sys
2009-12-30 20:51 . 2009-12-30 20:51   12464   ----a-w-   c:\windows\system32\avgrsstx.dll
2009-12-30 20:51 . 2009-12-30 20:51   360584   ----a-w-   c:\windows\system32\drivers\avgtdix.sys
2009-12-30 20:51 . 2009-12-30 20:51   161800   ----a-w-   c:\windows\system32\drivers\avgrkx86.sys
2009-12-30 20:51 . 2009-12-30 20:51   333192   ----a-w-   c:\windows\system32\drivers\avgldx86.sys
2009-12-30 20:51 . 2009-12-30 20:51   28424   ----a-w-   c:\windows\system32\drivers\avgmfx86.sys
2009-12-30 20:49 . 2009-12-30 20:49   50968   ----a-w-   c:\windows\system32\avgfwdx.dll
2009-12-30 20:49 . 2009-12-30 20:49   30104   ----a-w-   c:\windows\system32\drivers\avgfwdx.sys
2009-12-30 20:49 . 2009-12-30 20:49   --------   d-----w-   c:\program files\AVG
2009-12-30 20:49 . 2009-12-30 20:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\avg9
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\documents and settings\Alex\Application Data\SUPERAntiSpyware.com
2009-12-30 20:17 . 2009-12-30 20:17   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-12-30 19:56 . 2009-11-07 21:11   --------   d-----w-   c:\program files\CCleaner
2009-12-30 19:30 . 2009-11-08 03:46   --------   d-----w-   c:\documents and settings\Alex\Application Data\TrueCrypt
2009-12-30 09:22 . 2009-12-30 09:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\TrueCrypt
2009-12-30 09:22 . 2009-11-07 20:51   223440   ----a-w-   c:\windows\system32\drivers\truecrypt.sys
2009-12-30 01:46 . 2007-07-18 20:31   --------   d-----w-   c:\documents and settings\Alex\Application Data\DMCache
2009-12-29 16:41 . 2009-12-29 16:41   464   ----a-w-   c:\documents and settings\Alex\Application Data\WinFF\ff091229114117.bat
2009-12-29 16:41 . 2009-08-25 02:42   --------   d-----w-   c:\documents and settings\Alex\Application Data\WinFF
2009-12-29 14:19 . 2009-12-13 06:29   --------   d-----w-   c:\program files\Xvid
2009-12-29 05:05 . 2009-12-29 05:05   --------   d-----w-   c:\program files\eRightSoft
2009-12-28 07:47 . 2007-08-10 20:32   --------   d-----w-   c:\program files\DVD Flick
2009-12-28 07:36 . 2009-07-20 11:44   --------   d-----w-   c:\program files\Common Files\Webroot Shared
2009-12-28 04:32 . 2009-12-08 20:20   60928   ----a-w-   c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\[email protected]\installer\setup.exe
2009-12-28 04:10 . 2009-12-28 04:10   --------   d-----w-   c:\documents and settings\Alex\Application Data\Aegisub
2009-12-28 03:59 . 2007-06-23 18:03   --------   d-----w-   c:\documents and settings\Alex\Application Data\uTorrent
2009-12-27 06:48 . 2009-12-14 11:46   1620552   ----a-w-   c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-12-27 05:21 . 2009-12-27 05:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Speed Soft
2009-12-26 03:13 . 2009-12-26 03:13   --------   d-----w-   c:\documents and settings\Alex\Application Data\JAM Software
2009-12-23 05:59 . 2009-12-23 05:58   --------   d-----w-   c:\program files\VirtualDubMOD
2009-12-22 16:48 . 2009-12-15 22:28   --------   d-----w-   c:\program files\MP3Gain
2009-12-22 01:48 . 2009-12-22 01:48   1201   ----a-w-   c:\documents and settings\Alex\Application Data\.purple\certificates\x509\tls_peers\login.facebook.com
2009-12-21 19:14 . 2003-03-10 21:03   916480   ------w-   c:\windows\system32\wininet.dll
2009-12-21 14:20 . 2009-12-21 14:20   --------   d-----w-   c:\documents and settings\Alex\Application Data\Obsidium
2009-12-21 11:31 . 2009-12-21 11:31   --------   d-----w-   c:\program files\FDRLab
2009-12-18 07:01 . 2009-12-18 07:01   --------   d-----w-   c:\program files\Outspark
2009-12-17 05:22 . 2007-04-04 01:57   --------   d-----w-   c:\program files\DivX
2009-12-17 05:22 . 2009-12-17 05:21   --------   d-----w-   c:\program files\Common Files\DivX Shared
2009-12-16 18:43 . 2003-03-10 21:00   343040   ----a-w-   c:\windows\system32\mspaint.exe
2009-12-16 02:55 . 2009-12-15 05:53   --------   d-----w-   c:\program files\BitTyrant
2009-12-16 00:03 . 2009-12-16 00:03   --------   d-----w-   c:\program files\JAM Software
2009-12-14 07:08 . 2001-08-23 12:00   33280   ----a-w-   c:\windows\system32\csrsrv.dll
2009-12-14 03:19 . 2009-12-14 03:19   78336   ----a-w-   c:\documents and settings\Alex\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-12-13 22:44 . 2009-12-13 22:33   --------   d-----w-   c:\program files\Winnydows
2009-12-13 06:41 . 2009-12-13 06:40   --------   d-----w-   c:\program files\StaxRip
2006-05-03 09:06 . 2009-07-20 18:12   163328   --sha-r-   c:\windows\system32\flvDX.dll
2009-08-23 00:35 . 2009-07-18 01:03   952   --sha-w-   c:\windows\system32\KGyGaAvL.sys
2007-02-21 10:47 . 2009-12-29 05:06   31232   --sh--r-   c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-12-28 05:58   216064   --sha-r-   c:\windows\system32\nbDX.dll
.

------- Sigcheck -------

[-] 2008-05-18 . 56F4867BAE6FD78E5365A3A7AFA59C82 . 295424 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2008-05-18 . 56F4867BAE6FD78E5365A3A7AFA59C82 . 295424 . . [5.1.2600.5512] . . c:\windows\system32\termsrv.dll
[7] 2004-08-04 . B60C877D16D9C880B952FDA04ADF16E6 . 295424 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\termsrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2009-12-28 1201152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2002-04-20 69632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-09-30 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-09-30 126976]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Orbit.lnk - c:\program files\Orbitdownloader\orbitdm.exe [2007-8-9 1667072]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-12-30 20:32   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-30 20:51   12464   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-12-08 20:44   136192   ----a-w-   c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre1.6.0_03\\bin\\javaw.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"h:\\dls\\romz\\emuz\\VisualBoyAdvance\\VisualBoyAdvance.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Ares\\chatServer.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\BitTyrant\\Azureus.exe"=
"c:\\Program Files\\Webroot\\Washer\\wwDisp.exe"=
"c:\\WINDOWS\\system32\\igfxtray.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\eRightSoft\\SUPER\\SUPER.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Unlocker\\UnlockerAssistant.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh

R0 AVGIDSErHrxpx;AVG9IDSErHr;c:\windows\system32\drivers\AVGIDSxx.sys [12/30/2009 3:51 PM 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [12/30/2009 3:51 PM 161800]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/4/2007 12:29 PM 685816]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/30/2009 3:51 PM 333192]
R1 AvgTdiX;AVG Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/30/2009 3:51 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 74480]
R2 avg9emc;AVG E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [12/30/2009 3:50 PM 906520]
R2 avg9wd;AVG WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [12/30/2009 3:50 PM 285392]
R2 avgfws9;AVG Firewall;c:\program files\AVG\AVG9\avgfws9.exe [12/30/2009 3:50 PM 2304192]
R2 AVGIDSAgent;AVG9IDSAgent;c:\program files\AVG\AVG9\Identity Protection\Agent\Bin\AVGIDSAgent.exe [12/30/2009 3:50 PM 5832712]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [10/29/2009 12:27 PM 1074568]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [12/3/2009 9:44 PM 236368]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [7/20/2009 6:44 AM 598856]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [12/30/2009 3:49 PM 30104]
R3 AVGIDSDriverxpx;AVG9IDSDriver;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSDriver.sys [12/30/2009 3:50 PM 122376]
R3 AVGIDSFilterxpx;AVG9IDSFilter;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSFilter.sys [12/30/2009 3:50 PM 30216]
R3 AVGIDSShimxpx;AVG9IDSShim;c:\program files\AVG\AVG9\Identity Protection\Agent\Driver\Platform_XP\AVGIDSShim.sys [12/30/2009 3:50 PM 25736]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [8/9/2007 4:43 PM 113896]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [12/3/2009 9:44 PM 19160]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [12/12/2009 5:46 PM 272128]
R3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [8/8/2007 6:35 AM 223128]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [12/30/2009 3:49 PM 30104]
S3 dsreader;MaxDrive Driver (dsreader.sys);c:\windows\system32\drivers\dsreader.sys [1/2/2001 11:53 PM 19677]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [1/25/2007 12:31 PM 42000]
S3 S6U12BScanner;MUSTEK 1200 UB Still Image Device Service;c:\windows\system32\drivers\usbscan.sys [12/8/2007 12:20 PM 15104]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [11/29/2009 10:41 AM 627072]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-08 c:\windows\Tasks\Malwarebytes' Scheduled Update for Alex.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-09 21:07]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///H:/dls/backup/lulz/Anon%20Party%20Hard/anon_partyhard30.swf
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uInternet Settings,ProxyServer = 83.133.119.38:8080
IE: &Download All with FlashGet - c:\documents and settings\Alex\My Documents\Random Junk\Programs\FlashGet\jc_all.htm
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Download with FlashGet - c:\documents and settings\Alex\My Documents\Random Junk\Programs\FlashGet\jc_link.htm
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download FLV video content with IDM - c:\documents and settings\Alex\My Documents\Random Junk\Programs\Internet Download Manager\IEGetVL.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}\components\XpcomOpusConnector.dll
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\um5wf9ps.default\extensions\[email protected]\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-10 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys sptd.sys >>UNKNOWN [0x8338C8AC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf8845f28
\Driver\ACPI -> ACPI.sys @ 0xf86b6cb8
\Driver\atapi -> atapi.sys @ 0xf864bb40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"AB141C35E9F4BF344B9FC010BB17F68A"=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1280)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3024)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Orbitdownloader\orbitnet.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
.
**************************************************************************
.
Completion time: 2010-02-10 18:38:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 23:38
ComboFix2.txt 2010-02-10 21:19

Pre-Run: 131,112,927,232 bytes free
Post-Run: 131,073,851,392 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 245C9D80C4F7FF37AAD040A286EFFD43

it seems to have worked. nothings unexpectedly terminating, control.exe and mmc.exe both work. thanks for the help!

evilfantasy · « **Reply #13 on:** February 10, 2010, 05:38:45 PM »

The termsrv.dll is also infected so it needs replaced.

Enable viewing of hidden system files & folders XP

1. Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

----------

Go here and download the termsrv.dll to your desktop. http://www.dlldump.com/download-dll-files_new.php/dllfiles/T/termsrv.dll/5.1.2600.2180/download.html

Then find the infected file located in the system32 folder.

c:\windows\system32\termsrv.dll Right click it and choose Rename. Rename it to termsrv.old

Then immediately go to the desktop and right click on the termsrv.dll and choose Cut.

Go back to the system32 folder. At the top of the screen choose Edit > Paste.

Let me know when that is done.

Computer Hope Forum

News:

Author Topic: corrupted exes (control.exe mmc.exe) (Read 17453 times)

freeforall

corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)

desudesu

Re: corrupted exes (control.exe mmc.exe)

evilfantasy

Re: corrupted exes (control.exe mmc.exe)