Computer Hope

Software => Computer viruses and spyware => Topic started by: KayleyBug on February 16, 2010, 02:24:48 AM

Title: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 16, 2010, 02:24:48 AM
My laptop suddenly acquired a virus which I think I got when my friend used it and opened a song attached to an email she had. Many programs won't open or run, for example Pain won't work but Word will open.
Some sites make the internet close itself, for example AVG, and sometimes when I try to download anti-virus programs they won't load.
I have tried the 6 steps advised, however I was unable to do some as the virus won't let me.

Superantispyware, for example, won't install or open (it starts to load and then just disappears), and it won't let me update Java.

The background of my desktop is permanently green with the message 'YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed.'
The poor grammar gives it away as being fake. Also an icon appeared in my toolbar (I think that's what it's called? next to the battery symbol on the bottom right) that was round and red with a white X, that kept popping up and warning me that I had a trojan and to click it for anti-spyware. That was also part of the virus, I believe, and has stopped popping up since running some of the recommended programs, but the background is still the same.

I will post the two logs I do have:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2 (Safe Mode)
Internet Explorer 7.0.5730.13

15/02/2010 23:13:56
mbam-log-2010-02-15 (23-13-56).txt

Scan type: Quick Scan
Objects scanned: 119792
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 11
Folders Infected: 1
Files Infected: 17

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\z1jipsibfe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naprav2 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sprecf.dll  -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\sprecf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\rspgjclg\nmjgvydu.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\51.tmp (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\52.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv771266066426.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv231266168394.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv421265883176.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\wpv851265213601.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


******************************************************************



Symantec W32.Netsky FixTool 1.13.0


C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\01\11-{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}-v1-{E4B48C66-6217-4F8A-B588-32CD3169E251}-v11-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\12\25-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v12-{E4B48C66-6217-4F8A-B588-32CD3169E251}-v25-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\13\13-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v13-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v13-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\14\14-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v14-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v14-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\15\15-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v15-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v15-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\16\16-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v16-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v16-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\17\17-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v17-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v17-Downloaded.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\18\18-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v18-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v18-Partial.frx (WARNING: not scanned, path to long)
C:\Documents and Settings\Administrator\My Documents\My Music\iTunes\iTunes Music\SCANDAL\BEST?SCANDAL: (not scanned)
C:\Documents and Settings\Administrator\My Documents\My Music\iTunes\iTunes Music\??: (not scanned)
C:\Program Files\Crayon Physics Deluxe: (not scanned)
C:\Program Files\Deskshare: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\boards\standard: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\mus: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\sfx: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc193: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc194: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc195: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc196: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc197: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc198: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc199: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc200: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc201: (not scanned)
C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc202: (not scanned)
C:\System Recovery: (not scanned)
C:\System Volume Information: (not scanned)
E:\System Volume Information: (not scanned)
W32.Netsky has not been found on your computer.


Any help you can give me would be genuinely appreciated, I really need my laptop for uni and it's a nightmare at the moment because I can't do any work or use the internet as I'm scared it will steal my passwords! If there's anything on my laptop you're not happy about me having (e.g. something I've downloaded in the past and forgotten about so it's floating about somewhere) then I'll be happy to delete it immediately. Thank you so much in advance for your help.

Kayley
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 16, 2010, 09:50:52 AM
I managed to get to my SUPERAntiSpyware log in Safe Mode (I realised that I'd managed to get it to do a scan last night, but since re-booting after the scan, it will no longer let me open the program.)

I also attempted to install the new version of Java in Safe Mode. It tried to install and would have been successful but unfortunately it can't fully install when the computer is in Safe Mode. (As mentioned above, Java will not open or install or do anything when my laptop is in Normal mode.)  :-\

Here's my SAS scan log, hopefully with all 3 logs you'll now be better equipped to spot any problems. Let me know if you need any further information, of course I understand that going through the logs will take up your time, and that you also have real life to be getting on with, so I appreciate that it will be a few hours/days before I get a response.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/16/2010 at 00:42 AM

Application Version : 4.33.1000

Core Rules Database Version : 4446
Trace Rules Database Version: 1978

Scan type       : Complete Scan
Total Scan Time : 01:13:47

Memory items scanned      : 529
Memory threats detected   : 0
Registry items scanned    : 6045
Registry threats detected : 3
File items scanned        : 81982
File threats detected     : 1

Browser Hijacker.Internet Explorer Zone Hijack
   HKU\S-1-5-21-893622875-1752805829-1147589580-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com
   HKU\S-1-5-21-893622875-1752805829-1147589580-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com#http

Adware.Tracking Cookie
   C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

Trojan.DNSChanger-Codec
   HKU\S-1-5-21-893622875-1752805829-1147589580-500\Software\uninstall
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 03:59:38 PM
If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 04:40:28 PM
Thank you so much for getting back to me.  :D
Combofix wanted to download/install the 'Microsoft Windows recovery console' and I clicked yes but it didn't work, stating that I wasn't connected to the internet. However, I definitely was connected to the internet.  :-\
I've done the scan, results below. Since using Combofix my desktop background is back to normal. I'm guessing the virus is still around though?
I will leave my laptop on for now, and then set it to hibernate if I haven't heard back from you before I go to bed (in case I mess anything up before your next reply).



ComboFix 10-02-12.01 - Kayley E R 17/02/2010  23:16:00.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.379 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\21303429133.nls
c:\documents and settings\Administrator\Application Data\Microsoft\Windows\import.ocx
c:\documents and settings\Administrator\Application Data\Microsoft\Windows\jsdb.dll
c:\documents and settings\Administrator\Application Data\Microsoft\Windows\mfximport.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}
c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\install.rdf
c:\documents and settings\Administrator\Local Settings\Temp\21303429133.nls
c:\recycler\S-1-5-21-1340307497-2614723990-4250122306-500
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-893622875-1752805829-1147589580-1014
c:\windows\msacm32.drv
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system32\11478.exe
c:\windows\system32\15724.exe
c:\windows\system32\18467.exe
c:\windows\system32\19169.exe
c:\windows\system32\23281.exe
c:\windows\system32\24464.exe
c:\windows\system32\26500.exe
c:\windows\system32\26962.exe
c:\windows\system32\28145.exe
c:\windows\system32\29358.exe
c:\windows\system32\5705.exe
c:\windows\system32\6334.exe
c:\windows\system32\IS15.exe
c:\windows\system32\warning.html
c:\windows\TEMP\21303429133.nls
c:\windows\ubaxaroyuyevev.dll
c:\windows\wuasirvy.dll

.
(((((((((((((((((((((((((   Files Created from 2010-01-17 to 2010-02-17  )))))))))))))))))))))))))))))))
.

2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8
2010-02-04 11:54 . 2010-02-17 23:04   120   ----a-w-   c:\windows\Byipelozu.dat
2010-02-04 11:54 . 2010-02-17 23:04   0   ----a-w-   c:\windows\Esuloso.bin

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 23:25 . 2007-05-28 20:32   9517290   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2010-02-16 16:25 . 2010-02-16 16:27   3221504   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
2010-02-12 11:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Kbdgui"="c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat" [2010-02-16 123392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-02-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ymigabobituyi - c:\windows\ubaxaroyuyevev.dll
HKU-Default-RunOnce-RunNarrator - Narrator.exe
AddRemove-Bonus Pack for Super DX-Ball Deluxe_is1 - c:\program files\Super DX-Ball Deluxe\unins001.exe
AddRemove-CDisplay_is1 - c:\program files\CDisplay\unins000.exe
AddRemove-Crayon Physics Deluxe_is1 - c:\program files\Crayon Physics Deluxe\unins000.exe
AddRemove-Digital Media Converter_is1 - c:\program files\Deskshare\Digital Media Converter\unins000.exe
AddRemove-Guitar Pro 4.0 - c:\progra~1\GUITAR~1\UNWISE.EXE
AddRemove-Guitar Pro 5_is1 - c:\program files\Guitar Pro 5\unins000.exe
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
AddRemove-Pocket Tanks_is1 - c:\program files\Pocket Tanks\unins000.exe
AddRemove-SpeedFan - c:\program files\SpeedFan\uninstall.exe
AddRemove-Super DX-Ball Deluxe_is1 - c:\program files\Super DX-Ball Deluxe\unins000.exe
AddRemove-Super DX-Ball_is1 - c:\program files\Super DX-Ball\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-17 23:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(928)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(1632)
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2010-02-17  23:32:55 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-17 23:32

Pre-Run: 20,770,365,440 bytes free
Post-Run: 20,662,919,168 bytes free

- - End Of File - - 9BCEE55D3BE4497A670308AA97C4A00D
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 05:18:47 PM
Don't worry about the Recovery Console. You can skip that.


1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KillAll::

DDS::
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com

Firefox::
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

File::
c:\windows\Byipelozu.dat
c:\windows\Esuloso.bin

Folder::
c:\program files\Viewpoint

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kbdgui"=


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://img249.imageshack.us/img249/1218/cfscript1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

----------

Please go to Start > Run and copy/paste the following blue text, then press Enter:

C:\QooBox\Add-Remove Programs.txt

A text file should open. Please post the contents of that file in your next reply.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 05:50:23 PM
New ComboFix log:


ComboFix 10-02-12.01 - Kayley E R 18/02/2010   0:31.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.345 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
"c:\windows\Byipelozu.dat"
"c:\windows\Esuloso.bin"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Viewpoint
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
c:\windows\Byipelozu.dat
c:\windows\Esuloso.bin

.
(((((((((((((((((((((((((   Files Created from 2010-01-18 to 2010-02-18  )))))))))))))))))))))))))))))))
.

2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-17 23:25 . 2007-05-28 20:32   9517290   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
2010-02-16 16:25 . 2010-02-16 16:27   3221504   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
2010-02-12 11:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Kbdgui"="c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat" [2010-02-16 123392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-02-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uInternet Settings,ProxyOverride = local;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 00:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(2852)
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
c:\docume~1\ADMINI~1\LOCALS~1\Temp\21303429133.nls
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2010-02-18  00:47:24 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-18 00:47
ComboFix2.txt  2010-02-17 23:32

Pre-Run: 20,634,279,936 bytes free
Post-Run: 20,573,704,192 bytes free

- - End Of File - - C9B4B339BA1545B0EE1ED5FEA0FACD2A



************************************************************

Copy and paste blue text results:



Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0.9
Adobe Shockwave Player
Adobe Stock Photos 1.0
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Connectivity Services
AOL Registration
AOL Spyware Protection
AOL Toolbar
AOL UK (Choose which version to remove)
AOL You've Got Pictures Screensaver
Apple Mobile Device Support
Apple Software Update
Application Installer 4.00.B6
ATI Catalyst Control Center
ATI Display Driver
Atomic Cannon Demo
Audacity 1.2.6
AVG 8.5
Bonjour
CCleaner (remove only)
Comic Life
Compatibility Pack for the 2007 Office system
Cortona® VRML Client
Disc2Phone
DivX Web Player
Firebird SQL Server - MAGIX Edition
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Windows XP (KB896243)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912436)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915326)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
HP Backup and Recovery Manager Installer
HP BIOS Configuration for ProtectTools 2.00 G1
HP Credential Manager for ProtectTools
HP Embedded Security for ProtectTools
HP Help and Support
HP Notebook Accessories Product Tour
HP ProtectTools Security Manager 2.00 C3
HP Quick Launch Buttons 6.00 G2
HP Update
HP User Guides 0022
HP Wireless Assistant 2.00 F1
HpSdpAppCoreApp
InterVideo DVD Check
InterVideo WinDVD
IrfanView (remove only)
iTunes
Learn2 Player (Uninstall Only)
Lexmark 730 Series
LightScribe  1.4.84.1
MAGIX 3D Maker (embeded)
MAGIX Movie Edit Pro 15 Download version 8.5.0.30 (UK)
MAGIX Screenshare 4.3.6.1987 (UK)
MAGIX Xtreme PhotoStory on CD & DVD 8 deluxe Download version 8.0.3.2 (UK)
Malwarebytes' Anti-Malware
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Speech SDK 5.1
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.7)
MSVCRT
MSXML 4.0 SP2 (KB927978)
Multi-Direction Opitcal Mouse 2.0
Power Tab Editor 1.7
QuickTime
RealPlayer
Safari
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB929969)
Segoe UI
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic DLA
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sony Ericsson PC Suite
SoundMAX
Spybot - Search & Destroy 1.4
SUPERAntiSpyware Free Edition
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
USB Disk Win98 Driver
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6a
Viewpoint Media Player
WebFldrs XP
Windows Defender
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor  (05/27/2006 1.3.2.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888402
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
WinRAR archiver
WinZip
Xvid 1.1.3 final uninstall
ZoneAlarm
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 05:58:50 PM
Sorry I missed something. But it's a quick fix.

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kbdgui"=-

Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Delete the fixme.reg from the Desktop.

----------

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /Uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer (http://oldtimer.geekstogo.com/TFC.exe) to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 06:19:36 PM
I managed everything else, however when I attempted to run ESET after saving it to desktop a box appears saying:

Can not get update. Is proxy configured?
ESET online scanner installation consists of three steps
1. Component download
2. Component registration
3. Start

Then there's a loading bar that's empty. Below that is a box to check saying 'Use custom proxy settings' and a link saying 'configure'. The Configure asks for my Proxy address, Port, Username and Password.
When I click the start button at the bottom right of the box, the writing saying 'Can not get update. Is proxy configured?' changes to 'Downloading components...' for a split second and then goes back to the above description.

Should I disable AVG? Is that what's blocking it?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 06:25:25 PM
I had something similar when I tried to use the download with Firefox. Try using the Internet Explorer scan.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 06:32:41 PM
Thank you, it worked fine on Internet Explorer.
Unfortunately, I have no scan log show for it because it says 'No Threats Found'.
Should I check 'uninstall application on close'?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 06:34:19 PM
There is no way the scan finished that fast. Did you adjust any of the settings for the scan?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 06:38:22 PM
I didn't change any settings except to check 'scan archives', but I went back to it to do another scan and realised that 'Scan for potentially unsafe applications' is already un-checked. Should I check that? I'm also going to disable Zone Alarm and AVG.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 06:40:29 PM
Let's try another scanner. That was just way too fast.


Scan your computer with Panda ActiveScan (http://www.pandasoftware.com/products/activescan.htm)

* Once you are on the Panda site click the Scan your PC now button.
* A new window will open...click the Scan Now button.
* If it wants to install an ActiveX component allow it.
* It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
* You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
* The scan will begin. Please be patient as it can take an hour or more to complete.
* When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
* Save the ActiveScan.txt to a convenient location like your desktop.
* Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

* Post the contents of the ActiveScan report in your next reply.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 17, 2010, 06:56:58 PM
Much more luck with the Panda scan, it's running now.
As it's 2am here in Wales and could be after 3am once it's done, I'm going to set my laptop to hibernate after 2 hours and let it run while I go to sleep.
I'll post the scan results in the morning although it'll be night time for you, so I understand I'm in for another wait  :)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 17, 2010, 07:12:45 PM
We can finish up whenever you get the time to. :)
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 04:23:08 AM
Here they are, the active scan results:

;*****************************************************************************
ANALYSIS: 2010-02-18 11:21:33
PROTECTIONS: 1
MALWARE: 4
SUSPECTS: 2
;*****************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;====================================================================
AVG Anti-Virus Free                          8.5                           No        No
;====================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;====================================================================
00139064  Cookie/Atlas DMT                   TrackingCookie      No        0         Yes            No           c:\documents and settings\administrator\cookies\[email protected][2].txt
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001951.exe
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0000466.exe
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp10\a0003173.dll
03074964  Trj/CI.A                           Virus/Trojan        No        0         Yes            No           c:\windows\system32\msls50.dll
05898765  Trj/Nabload.DPS                    Virus/Trojan        No        0         No             No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp11\a0003505.exe[32788r22fwjfw\catchme.cfxxe]
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000445.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0000469.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000424.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001483.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000410.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000366.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001887.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001942.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp8\a0001950.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp5\a0000435.exe
05977738  Adware/ISecurity2010               Adware              No        0         Yes            No           c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp6\a0001471.exe
;====================================================================
SUSPECTS
Sent      Location
;====================================================================
No        c:\system volume information\_restore{a80475b6-cf6d-4b3a-bd21-b16c67db5304}\rp7\a0001900.dll
No        c:\windows\system32\msls51.dll
;====================================================================
VULNERABILITIES
Id        Severity       Description
;====================================================================
216839    HIGH           MS10-001
215938    HIGH           MS09-072
215935    HIGH           MS09-069
215048    HIGH           MS09-065
214076    HIGH           MS09-059
971486    HIGH           MS09-058
214074    HIGH           MS09-057
214073    HIGH           MS09-056
214072    HIGH           MS09-055
214071    HIGH           MS09-054
213109    HIGH           MS09-046
212494    HIGH           MS09-042
212493    HIGH           MS09-041
212490    HIGH           MS09-038
212530    HIGH           MS09-034
211784    HIGH           MS09-032
211781    HIGH           MS09-029
210625    HIGH           MS09-026
210624    HIGH           MS09-025
210621    HIGH           MS09-022
210618    HIGH           MS09-019
208380    HIGH           MS09-015
208379    HIGH           MS09-014
208378    HIGH           MS09-013
208377    HIGH           MS09-012
206981    HIGH           MS09-007
206980    HIGH           MS09-006
205735    HIGH           MS09-002
204670    HIGH           MS09-001
203806    HIGH           MS08-078
203508    HIGH           MS08-073
203505    HIGH           MS08-071
202465    HIGH           MS08-068
201683    HIGH           MS08-067
201258    HIGH           MS08-066
201256    HIGH           MS08-064
201255    HIGH           MS08-063
201253    HIGH           MS08-061
201250    HIGH           MS08-058
209275    HIGH           MS08-049
209273    HIGH           MS08-045
196455    MEDIUM         MS08-037
194862    HIGH           MS08-032
194860    HIGH           MS08-030
191618    HIGH           MS08-025
191616    HIGH           MS08-023
191614    HIGH           MS08-021
191613    HIGH           MS08-020
187733    HIGH           MS08-008
184380    MEDIUM         MS08-002
184379    MEDIUM         MS08-001
182046    HIGH           MS07-067
179553    HIGH           MS07-061
176383    HIGH           MS07-058
170911    HIGH           MS07-050
170907    HIGH           MS07-046
170904    HIGH           MS07-043
164915    HIGH           MS07-035
164911    HIGH           MS07-031
157262    HIGH           MS07-022
157261    HIGH           MS07-021
157260    HIGH           MS07-020
157259    HIGH           MS07-019
156477    HIGH           MS07-017
150249    HIGH           MS07-013
150248    HIGH           MS07-012
150247    HIGH           MS07-011
150243    HIGH           MS07-008
150242    HIGH           MS07-007
150241    MEDIUM         MS07-006
;====================================================================
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 11:54:26 AM
Download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) to your desktop.

Note: If you are using Vista or Windows 7, right-click on OTM.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]
:Processes
explorer.exe

:services

:reg

:files
c:\windows\system32\msls50.dll
c:\windows\system32\msls51.dll

:Commands
[resethosts]
[purity]
[start explorer]
[Reboot]

* Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

* Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 12:27:50 PM
I did as instructed, however I couldn't get the results as it rebooted immediately after it finished.
After the re-boot as I kept getting this warning:

userinit.exe - Unable to Locate Component

This application has failed to start because msls51.dll was not found. Re-installing the application may fix this problem.

Now only the desktop background is visible, I can open task manager but that's all, there's no toolbar or desktop icons or anything.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 12:53:04 PM
Manually shut down the computer and then start it again.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 12:58:31 PM
Done. It's still the same, giving the same warning constantly. The background is the only thing there. I can open task manager and that's it.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 01:43:43 PM
Restart the computer. This time as it is loading up tap the F8 key until you get to the boot menu.

Choose Last Known Good Configuration.

Let me know how that goes.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 01:52:13 PM
Didn't go well, it's still the same, same warning about msls51.dll not found.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 02:25:09 PM
Do you have your desktop back?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 02:26:19 PM
Nothing there at all except the background picture. No desktop icons, toolbar, nothing.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 02:35:47 PM
On the Keyboard press (all at the same time) CTRL ALT Delete

When the Task Manager cones up go to File > New Task > then type in explorer.exe and click OK.

Did your desktop come up?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 02:38:44 PM
Explorer appeared briefly in the 'Applications' box of Tast Manager, with writing saying 'unable to locate component', then it dissapeared. My desktop did not come up.
The msls51.dll box came up about 5 more times in the process.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 02:46:03 PM
On the Keyboard press (all at the same time) CTRL ALT Delete

When the Task Manager cones up go to File > New Task > then type in rstrui.exe and click OK.

Do you get the System restore window?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 02:48:39 PM
'Windows cannot find 'rstrui.exe'. Make sure you typed the name correctly, and then try again.'

That's what happens each time I try.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 02:50:03 PM
Do you have your XP CD?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 02:53:36 PM
No, it already had XP installed when I got it (over 3 years ago) and did not come with a backup XP disc.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 02:58:34 PM
I am baffled as to what happened here.

Try booting the computer into safe mode using the F8 method and see if it get's to the desktop.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 03:07:45 PM
The box still keeps coming up -

Explorer.EXE - unable to locate component
This applications has failed to start because msls51.dll was not found. Re-installing the application may fix this problem.


There's a red circle with a white X on the left side of the box that resembles the one the virus put in my task bar at the very start, telling me to install anti-virus.

Now the screen is completely black with Safe Mode written in each corner and "Microsoft (R) Windows XP (R) (Build 2600.xpsp.051011-1528: Service Pack 2)" written at the top.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 03:32:07 PM
msls51.dll is a malicious file.

Can you get explorer or rstrui.exe to run in Safe Mode using the Task Manager?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 03:34:52 PM
Explorer and system restore won't work in Safe Mode either, it's the exact same results as when it was in Normal Mode, which is weird because I thought things were meant to just work when in Safe Mode.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 03:39:25 PM
Can you burn a CD?

On a good computer, download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso

Next, download, and install free Imgburn: http://www.imgburn.com/index.php?act=download

Using Imgburn, burn rc.iso to a CD.

Put the CD in the infected computer and boot to the CD...let it finish loading.

When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

Follow steps 3 - 14 as described here - http://www.geekstogo.com/forum/Fake-Security-Centre-Alerts-virus-malware-t266741.html&st=15&p=1753604#entry1753604
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 04:18:06 PM
I've made the CD and put it in my infected laptop, however I'm having trouble with the 'boot to the CD step'.
Do you mean that I should restart and instead of pressing f8 for Safe Mode I should press f9 for Boot service menu? Or the other option is f10 which is ROM based setup.

In Safe Mode and Normal Mode the CD doesn't do anything so I guess I need to do either the f9 or f10 option.

If it's any help my laptop is a HP compaq nx6325.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 04:21:12 PM
Quote
Do you mean that I should restart and instead of pressing f8 for Safe Mode I should press f9 for Boot service menu? Or the other option is f10 which is ROM based setup.

It will be the F9 or F10 option. You should see the CD that you have in the drive to boot to. If it isn't listed, when the computer first starts to boot, in the lower left screen you should see which key to press to get to the boot menu.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 04:42:33 PM
I've reached step 9 where I am supposed to enter the promt 'cd system~1\_resto~1' but when I try and type the ~ symbol on my UK keyboard a | comes up so I suppose it's set to US style.

The key next to the 1 key, which consists of `and ¬ will make a ~ that is higher up than the one in the prompt/the one I've just demonstrated, would that still work? I've tried every other button and this is the closest it'll get.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 05:00:55 PM
Try this.

cd system32\_restore
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 05:03:57 PM
I tried it with the weird high up ~ and it said access is denied so I followed the steps on the site, however after re-booting access was still denied.
I tried cd system32\_restore but it says the system cannot find the file or directory specified.

Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 18, 2010, 05:42:15 PM
Hate to bump myself, but I finally got it to work (just kept doing it over and over, it decided to work eventually) and according to the site, once you type dir
'When you hit enter it will list all the restore points folders like "rp1", "rp2"
well I don't see anything like that, I have a huge huge list (pages and pages) that starts out saying things like

07/11/06  07:29a  d--h-c--    0 $NtUnistallKB873333$

it goes on like this for a while, and nearer the end there are a couple of pages that are more vaired, like:

02/19/10  12:58a -a------     216 wiadebug.log
08/07/04  01:01p -arh----    749  WindowsShell.manifest
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 18, 2010, 07:27:18 PM
I'm not sure that's what you need.

When you were booting up with the CD was there an option to boot to the D drive which should be your recovery partition?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 04:13:48 AM
Ok, well it was worth a try :)

Yes, I can enter D:\MiniNT if I press 2 instead of 1, I just assumed I needed the C drive because that's what the link you gave was explaining about. The prompt now say says D:\MiniNT>

Let me know what I need to type in after the prompt, as the link you gave is for C drive prompts. Thanks for being so patient with me  :)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 08:18:32 AM
You are going to loose all of your documents and stuff by doing this so be sure there is nothing you need to recover before trying this.

Instructions here. http://www.laptops-drivers.com/miscellaneous/step-by-step-how-to-recover-hp-or-compaq-laptop.html
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 08:22:07 AM
Should I do destructive or non-destructive recovery? The link gives instructions for both options.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 08:27:33 AM
Try the non-destructive recovery first.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 08:42:15 AM
F10 doesn't have the same options as the link you gave me said it should, but when starting up my laptop it says Press F11 for Emergency Recovery, should I do that?
Do I need the CD we burned last night for this, or is that not necessary?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 08:44:31 AM
You shouldn't need the CD and use the Emergency Recovery.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 08:52:12 AM
Emergency Recovery just re-starts the computer. I don't see any options under F10 that seem to be for recovery. The only thing I can think of is to use the CD from last night and chose the 'set up Windows XP option', or take it to a computer repair place and ask them to recover it or wipe it for me?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 08:54:23 AM
F10 might be different for your computer. Whatever you used to get to the boot menu.

Do you have a friend you can borrow an install CD from.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 09:10:57 AM
I think if I go to F10 and select File - Restore Defaults it'll do it? Wipe everything clean?
But if I need an XP install CD to complete to process there's not much point, my laptop didn't come with one and everyone I can think of who might have a CD will only have Vista.

MODIFIED: I can't find any way to restore factory settings using F9, F10 or F11.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 10:27:54 AM
Using Task Manager and going to 'New Task' and then 'Browse' I seem to be able to browse through my folders, including C drive. I managed to access System Restore (despite many boxes coming up telling me things like 'wininit.exe - unable to locate component' etc) but the ONLY restore point was for yesterday, when I still had this problem. All my other restore points have vanished.

Is there a way to access 'restory factory settings' this way? F11 is definitely supposed to be emergency recovery and should restore factory settings however nothing happens when I press F11 except that the computer re-boots.

Malawarebytes is the ONLY thing I've managed to open without any error boxs appearing, which seems odd. I'll run it but I can't post the results log obviously.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 12:39:04 PM
Try tapping the esc key and see if it brings up the boot options.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 01:14:40 PM
It's ok my boyfriend tried running sfc /scannow and explorer.exe started without any errors but I don't know yet how permanent it will be.

One thing that is wrong is the theme is the windows classic theme and that is the only available option whereas before I had the choice of Windows XP, Windows classic and Green.

I've created a restore point now so at least I have that to go back to. What should I do next?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 01:16:45 PM
What should I do next?

Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates. There will probably be a bunch.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 01:29:04 PM
Critical updates installed. Still no proper XP theme, it all still looks like classic Windows. Should I install Service Pack 3 off the Microsoft site? (I have service pack 2 currently.)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 01:45:15 PM
You may need to go into your settings and adjust the theme.

Yes get SP3.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 02:14:39 PM
The theme's dissapeared, classic is the only option. SP3 is slowly installing, I'll just download a new theme once everything else is sorted. After SP3 has installed what do you want me to do? Hopefully the desktop will still be there after re-booting!
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 03:47:12 PM
SP3 has installed, XP theme is back :) Should I turn on Automatic Updates or just update periodically when I decide?

Let me know what you want me to do next.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 03:57:00 PM
I would turn on Automatic Updates.

Run a virus scan. ;)
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 06:04:55 PM
I ran a Malwarebytes full scan and it found 0 problems.

New problem: my internet's decided to stop working on my laptop. It's connected, apparently, but says 'limited or no connectivity' and the internet icon at the bottom has an exclamation mark next to it as opposed to a check mark or an X which are the two things it normally uses. Could this be down to SP3? Obviously my internet in general is fine as I'm using the same wireless modem on this laptop.

One thing after another, eh!  ::)

Using a USB I got the log from Malwarebytes' scan, in case you need to take a look at that  :)

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

20/02/2010 00:42:05
mbam-log-2010-02-20 (00-42-05).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 223060
Time elapsed: 1 hour(s), 21 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 06:08:01 PM
Make sure you have all web browsers closed.

* Go into Control Panel > Network Connections
* Right click on your connection then and click Properties
* On the Properties page, highlight Internet Protocol(TCP/IP)
* Click Properties, this will bring up another page.
* Select Obtain DNS Server Automatically
* Click the OK button. The page will close.
* Press OK on the page in front of you.
* Restart the computer.


Any changes?
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 19, 2010, 06:18:25 PM
The Obtain DNS Server Automatically option was already selected.
Restarted my laptop anyway - no change except the internet icon at the bottom looks like it's connected, instead of having an exclamation mark, but the internet still doesn't work.

I've also noticed that my laptop takes much longer to start up the desktop after updating to SP3 - all the desktop icons take a long time to show up, is that because I now have so many due to all the anti-virus programs and log files on there?

It could be a while before my next reply as it's 1.17am here and I have work in the morning.
Let me know what needs doing and I'll try and sort it tomorrow.
Thanks again for all your help so far :)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 19, 2010, 06:20:52 PM
No problem. I'll be around tomorrow.


Go Start > Run (Start search in Vista) and type in: cmd

Click  OK (in Vista, while holding CTRL, and SHIFT, press Enter).

In  the Command Prompt window type in following commands, and press  Enter after each one:

Code: [Select]
ipconfig /flushdns
Code: [Select]
ipconfig /registerdns
Code: [Select]
ipconfig /release
Code: [Select]
ipconfig /renew
Note the space before the forward slash /

Restart your  computer.

Any luck?

If not I would take a few minutes and call your ISP to see if they can reset it on their end.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 03:59:34 AM
No luck with that sadly. I'm not sure if AOL can help as it's more a problem with my laptop than the internet in general, as 2 other laptops and the computer in my house are managing to connect. So far (using my hit-and-miss Googling skills) I've discovered that one person had the same problem and resolved it by:
uninstalling and reinstalling Client Services by going into Local Area Connection Properties.

One website suggests letting Windows manage my Wireless network adapter by:
    1. Click Start -  Run and type “services.msc” and press enter.

    2. Scroll down to locate “Wireless Zero Configuration”

    3. Right-click and select “Start”

Lastly AOL's website suggested Zone Alarm might be blocking it, which I hadn't thought to check.

Once I'm home from work I'll try at least the Zone Alarm option, but I'd rather have your opinion before I start messing around with everything else :)
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 11:33:15 AM
Success! I did a system restore to before I updated to SP3 and now I have my XP theme back (which I didn't have before I installed SP3 so that's weird but cool) and now internet works :)

My computer's still a little slower than before at loading the desktop, it's just the background pic for a bit and then it flickers to black and then back to the picture, and that's when the icons finally appear.
The Start bar loads straight away though. Is this because I have about 30 desktop icons now, as opposed to the 5 I had before installing everything to it?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 02:37:48 PM
You should run a Malwarebytes scan and see if it turns up anything.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 04:27:10 PM
Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.13

20/02/2010 23:24:56
mbam-log-2010-02-20 (23-24-56).txt

Scan type: Quick Scan
Objects scanned: 124335
Time elapsed: 7 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I think I might try de-fragmenting my laptop on Sunday, haven't done that in well over a year so that's probably slowing things down a bit.
Can you recommend a good, user-friendly firewall? I've got ZoneAlarm but I'm not a fan of it, and I know Windows firewall isn't very good on XP.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 04:30:00 PM
Getting rid of ZoneAlarm is probably a good idea. I've never liked it much.

Try this. Online Armor (http://www.majorgeeks.com/Online_Armor_Free_d4872.html). Be sure to completely uninstall ZA before installing OA.

You can use the built in Windows defrag by clicking Start > Run and then type in dfrg.msc then click OK. Or use a faster FREE program. Defraggler (http://"http://majorgeeks.com/Defraggler_d5777.html") is very effective and easy to use.

Important! Be sure to uncheck Install optional Yahoo! Toolbar during the install process to avoid installing the Yahoo! Toolbar.

Note: Be sure to clean out temp files (run CCleaner) and restart the computer just before beginning a defrag.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 04:31:22 PM
Thanks :) Does this mean my laptop is all clear?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 04:32:56 PM
You can post a new HijackThis log for a double check.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 04:35:04 PM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:35:08, on 20/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O1 - Hosts: ˙ž127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [trayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Kbdgui] rundll32.exe "C:\Documents and Settings\Administrator\Application Data\Adobe\Update\traykbd.dat""
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcf_device -   - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 11311 bytes
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 04:48:00 PM
Quote
Checking: Platform: Windows XP SP2 (WinNT 5.01.2600)

You should get SP3 ASAP. There are many security related updates as well as stability improvements included with SP3.

Something is wrong here. Looks like your HOSTS file is messed up. Might be contributing to your connection issues. Looks like there is indeed an infection also.

If you are going to remove Zone Alarm go ahead and do it now so it does not interfere with the fixes. Wait until we are done to install Online Armour.

Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

.
Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download HostsXpert (http://www.majorgeeks.com/Hoster_d4626.html) and then follow the below steps.

* Unzip HostXpert to your desktop.
* Open up the HostsXpert program.
* (Vista and Windows 7 users right click HostsXpert and choose Run as Administrator)
* Make sure that the "Make Hosts Writable?" button in the upper left corner is enabled (unlocked).
* Click Create Back Up.
* Then click on Restore Microsoft's Host Files.
* Close the HostsXpert program.

Note: if you use SpywareBlaster, Spybot and/or IE-SPYAD, it will be necessary to re-install the protection they afford. For SpywareBlaster, run the program and select Enable all protection. For Spybot run the program and select Immunize. For IE-SPYAD, run the batch file and reinstall the protection.

----------

If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link #2 (http://www.forospyware.com/sUBs/ComboFix.exe)

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 04:55:06 PM
Can I do all these things before installing SP3?
Installing SP3 is what messed up my internet connection the first time so I want to get all this sorted first if possible, there's no way SP3 will undo these instructions is there? If I install it after?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 05:10:38 PM
Yes it's best to wait until we get done before going to SP3.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 05:34:28 PM
Here's the combofix log.

If it's of any importance, I've noticed that suddenly, each time my computer starts up, a shortcut to Internet Explorer appears on my desktop.
I always delete the shortcut as I use Firefox, but then the next time I start up my laptop, there it is again on the desktop!



ComboFix 10-02-20.03 - Kayley E R 21/02/2010   0:15.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.394 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\21303429133.nls
c:\documents and settings\Administrator\Local Settings\temp\21303429133.nls

.
(((((((((((((((((((((((((   Files Created from 2010-01-21 to 2010-02-21  )))))))))))))))))))))))))))))))
.

2010-02-20 18:24 . 2010-02-20 18:24   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-02-19 22:30 . 2010-02-19 22:30   --------   d-----w-   c:\windows\system32\scripting
2010-02-19 22:30 . 2010-02-19 22:30   --------   d-----w-   c:\windows\l2schemas
2010-02-19 22:27 . 2010-02-19 22:31   --------   d-----w-   c:\windows\ServicePackFiles
2010-02-19 18:30 . 2004-08-04 00:56   116224   ----a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-19 18:30 . 2001-08-17 22:36   23040   ----a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-02-19 18:30 . 2001-08-17 22:36   17408   ----a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2010-02-19 18:30 . 2001-08-17 22:37   27648   ----a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-02-19 18:30 . 2001-08-17 22:37   4608   ----a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-02-19 18:29 . 2001-08-17 22:37   99865   ----a-w-   c:\windows\system32\dllcache\xlog.exe
2010-02-19 18:29 . 2001-08-17 12:11   16970   ----a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-02-19 18:29 . 2004-08-03 22:29   19455   ----a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-02-19 18:29 . 2004-08-03 22:29   12063   ----a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-02-19 18:29 . 2004-08-03 22:31   154624   ----a-w-   c:\windows\system32\dllcache\wlluc48.sys
2010-02-19 18:29 . 2001-08-17 12:12   34890   ----a-w-   c:\windows\system32\dllcache\wlandrv2.sys
2010-02-19 18:27 . 2001-08-17 12:13   19528   ----a-w-   c:\windows\system32\dllcache\w840nd.sys
2010-02-19 18:26 . 2001-08-17 13:28   793598   ----a-w-   c:\windows\system32\dllcache\usr1806.sys
2010-02-19 18:25 . 2001-08-17 22:36   216064   ----a-w-   c:\windows\system32\dllcache\um34scan.dll
2010-02-19 18:24 . 2001-08-17 14:02   230912   ----a-w-   c:\windows\system32\dllcache\tosdvd03.sys
2010-02-19 18:23 . 2001-08-17 14:07   32640   ----a-w-   c:\windows\system32\dllcache\symc8xx.sys
2010-02-19 18:22 . 2001-08-17 12:11   48736   ----a-w-   c:\windows\system32\dllcache\srwlnd5.sys
2010-02-19 18:21 . 2004-08-04 13:00   40448   ----a-w-   c:\windows\system32\dllcache\snmpthrd.dll
2010-02-19 18:20 . 2001-08-17 12:12   91294   ----a-w-   c:\windows\system32\dllcache\skfpwin.sys
2010-02-19 18:19 . 2001-07-21 14:29   161568   ----a-w-   c:\windows\system32\dllcache\sgsmusb.sys
2010-02-19 18:18 . 2001-08-17 13:51   23936   ----a-w-   c:\windows\system32\dllcache\sccmn50m.sys
2010-02-19 18:17 . 2004-08-04 13:00   79872   ----a-w-   c:\windows\system32\dllcache\rwia330.dll
2010-02-19 18:16 . 2001-08-17 13:28   899146   ----a-w-   c:\windows\system32\dllcache\r2mdkxga.sys
2010-02-19 18:15 . 2001-08-17 13:51   16128   ----a-w-   c:\windows\system32\dllcache\pscr.sys
2010-02-19 18:14 . 2001-08-17 22:36   86016   ----a-w-   c:\windows\system32\dllcache\pctspk.exe
2010-02-19 18:13 . 2001-08-17 14:05   48000   ----a-w-   c:\windows\system32\dllcache\ovcam2.sys
2010-02-19 18:12 . 2001-08-17 12:20   87040   ----a-w-   c:\windows\system32\dllcache\nm6wdm.sys
2010-02-19 18:12 . 2001-08-17 12:20   126080   ----a-w-   c:\windows\system32\dllcache\nm5a2wdm.sys
2010-02-19 18:12 . 2004-08-04 13:00   53248   ----a-w-   c:\windows\system32\dllcache\nextlink.dll
2010-02-19 18:12 . 2001-08-17 12:12   32840   ----a-w-   c:\windows\system32\dllcache\ngrpci.sys
2010-02-19 18:12 . 2004-08-03 22:31   132695   ----a-w-   c:\windows\system32\dllcache\netwlan5.sys
2010-02-19 18:12 . 2001-08-17 12:11   65278   ----a-w-   c:\windows\system32\dllcache\netflx3.sys
2010-02-19 18:12 . 2001-08-17 12:50   39264   ----a-w-   c:\windows\system32\dllcache\neo20xx.sys
2010-02-19 18:12 . 2001-08-17 22:36   60480   ----a-w-   c:\windows\system32\dllcache\neo20xx.dll
2010-02-19 18:12 . 2001-08-17 13:49   15872   ----a-w-   c:\windows\system32\dllcache\ne2000.sys
2010-02-19 18:11 . 2001-08-17 14:56   91488   ----a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-02-19 18:11 . 2001-08-17 12:50   27936   ----a-w-   c:\windows\system32\dllcache\n9i3d.sys
2010-02-19 18:11 . 2001-08-17 12:50   33088   ----a-w-   c:\windows\system32\dllcache\n9i128v2.sys
2010-02-19 18:11 . 2001-08-17 22:36   59104   ----a-w-   c:\windows\system32\dllcache\n9i128v2.dll
2010-02-19 18:11 . 2001-08-17 12:50   13664   ----a-w-   c:\windows\system32\dllcache\n9i128.sys
2010-02-19 18:11 . 2001-08-17 14:56   35392   ----a-w-   c:\windows\system32\dllcache\n9i128.dll
2010-02-19 18:11 . 2001-08-17 12:11   128000   ----a-w-   c:\windows\system32\dllcache\n100325.sys
2010-02-19 18:09 . 2001-08-17 14:02   35200   ----a-w-   c:\windows\system32\dllcache\msgame.sys
2010-02-19 18:08 . 2001-08-17 22:36   47616   ----a-w-   c:\windows\system32\dllcache\memgrp.dll
2010-02-19 18:07 . 2001-08-17 12:12   20573   ----a-w-   c:\windows\system32\dllcache\lne100.sys
2010-02-19 18:06 . 2001-08-17 12:12   45632   ----a-w-   c:\windows\system32\dllcache\ip5515.sys
2010-02-19 18:05 . 2001-08-17 22:36   26624   ----a-w-   c:\windows\system32\dllcache\icam3ext.dll
2010-02-19 18:04 . 2001-08-17 13:28   488383   ----a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-02-19 18:03 . 2001-08-17 22:36   31232   ----a-w-   c:\windows\system32\dllcache\hpgt42tk.dll
2010-02-19 18:02 . 2001-08-17 12:49   320384   ----a-w-   c:\windows\system32\dllcache\g200m.sys
2010-02-19 18:01 . 2001-08-17 12:12   16074   ----a-w-   c:\windows\system32\dllcache\fa312nd5.sys
2010-02-19 18:00 . 2001-08-17 12:19   283904   ----a-w-   c:\windows\system32\dllcache\emu10k1m.sys
2010-02-19 17:59 . 2001-08-17 12:11   29696   ----a-w-   c:\windows\system32\dllcache\dm9pci5.sys
2010-02-19 17:58 . 2001-08-17 13:52   14720   ----a-w-   c:\windows\system32\dllcache\dac960nt.sys
2010-02-19 17:57 . 2004-08-04 13:00   15872   ----a-w-   c:\windows\system32\dllcache\chgport.exe
2010-02-19 17:56 . 2001-08-17 13:51   13824   ----a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2010-02-19 17:55 . 2004-08-03 22:29   104960   ----a-w-   c:\windows\system32\dllcache\atinrvxx.sys
2010-02-19 17:54 . 2004-08-03 22:32   231552   ----a-w-   c:\windows\system32\dllcache\ac97ali.sys
2010-02-19 17:53 . 2003-03-24 16:52   49210   ----a-w-   c:\windows\system32\dllcache\fp4areg.dll
2010-02-19 17:53 . 2003-03-24 16:52   147513   ----a-w-   c:\windows\system32\dllcache\fp4apws.dll
2010-02-19 17:53 . 2003-03-24 16:52   102509   ----a-w-   c:\windows\system32\dllcache\fp4atxt.dll
2010-02-19 17:53 . 2004-05-13 00:39   184435   ----a-w-   c:\windows\system32\dllcache\fp4amsft.dll
2010-02-19 17:53 . 2003-03-24 16:52   82035   ----a-w-   c:\windows\system32\dllcache\fp4anscp.dll
2010-02-19 17:53 . 2004-08-04 13:00   46592   ----a-w-   c:\windows\system32\dllcache\coadmin.dll
2010-02-19 17:53 . 2003-03-24 16:52   188480   ----a-w-   c:\windows\system32\dllcache\cfgwiz.exe
2010-02-19 17:53 . 2003-03-24 16:52   20540   ----a-w-   c:\windows\system32\dllcache\author.dll
2010-02-19 17:53 . 2003-03-24 16:52   16439   ----a-w-   c:\windows\system32\dllcache\author.exe
2010-02-19 17:53 . 2004-08-04 13:00   43520   ----a-w-   c:\windows\system32\dllcache\admwprox.dll
2010-02-19 17:53 . 2004-08-04 13:00   290816   ----a-w-   c:\windows\system32\dllcache\adsiis51.dll
2010-02-19 17:53 . 2003-03-24 16:52   16439   ----a-w-   c:\windows\system32\dllcache\admin.exe
2010-02-19 17:53 . 2003-03-24 16:52   20540   ----a-w-   c:\windows\system32\dllcache\admin.dll
2010-02-18 19:18 . 2010-02-18 19:18   --------   d-----w-   C:\_OTM
2010-02-18 01:43 . 2009-06-30 09:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-02-18 01:43 . 2010-02-18 01:43   --------   d-----w-   c:\program files\Panda Security
2010-02-18 01:09 . 2010-02-18 01:09   --------   d-----w-   c:\program files\ESET
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 22:36 . 2004-08-07 13:12   91799   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-19 17:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\ERDNT\cache\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\system32\dllcache\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\system32\drivers\ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB912436$\ndis.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\ERDNT\cache\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netman.dll
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\ERDNT\cache\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\dllcache\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\ERDNT\cache\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\asms\60\msft\windows\common\controls\comctl32.dll
[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\controls\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\ERDNT\cache\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2gdr\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3gdr\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3qfe\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2qfe\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\ERDNT\cache\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\dllcache\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[7] 2004-08-04 08:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\kernel32.dll
[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\ERDNT\cache\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\backup\sp2gdr\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\backup\sp2qfe\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\dllcache\kernel32.dll
[7] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\linkinfo.dll
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\ERDNT\cache\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\dllcache\linkinfo.dll
[7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 . 21C91DA9CB53AA8A37041BA9684A8458 . 2180352 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntoskrnl.exe
[-] 2005-10-12 . 7B69EA89C7B9966BF552A070D97C5013 . 2180096 . . [5.1.2600.2774] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2005-10-12 . 7B69EA89C7B9966BF552A070D97C5013 . 2180096 . . [5.1.2600.2774] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\ERDNT\cache\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\system32\ntoskrnl.exe
[-] 2005-09-29 . 25C36DBC46E8EFF2A811769A60715AC5 . 2136064 . . [5.1.2600.2765] . . c:\windows\$NtUninstallKB909095$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896256$\ntoskrnl.exe

[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tapisrv.dll
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\ERDNT\cache\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\dllcache\tapisrv.dll
[7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\ERDNT\cache\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\dllcache\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\srsvc.dll
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\ERDNT\cache\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\system32\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\system32\dllcache\srsvc.dll
[7] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB888402$\srsvc.dll

[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\aec.sys
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\i386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\ERDNT\cache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\dllcache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[7] 2004-08-04 05:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mfc40u.dll
[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\ERDNT\cache\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 . BA002228743B6824D87F0551DBC86D45 . 2057728 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2005-10-11 . DDBFA4EAE9251712F20193DD47B361BD . 2057344 . . [5.1.2600.2774] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\ERDNT\cache\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\system32\ntkrnlpa.exe
[-] 2005-10-11 . DDBFA4EAE9251712F20193DD47B361BD . 2057344 . . [5.1.2600.2774] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2005-09-28 . 48472D224E1703882B4DE0E28E205E9B . 2015744 . . [5.1.2600.2765] . . c:\windows\$NtUninstallKB909095$\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896256$\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"Kbdgui"="c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat" [2010-02-16 123392]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [18/02/2010 01:43 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 00:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(3616)
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2010-02-21  00:31:18 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-21 00:31
ComboFix2.txt  2010-02-18 00:47

Pre-Run: 17,715,023,872 bytes free
Post-Run: 17,701,199,872 bytes free

- - End Of File - - CF665D58AC6EB237F728909C10C7FEB3
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 05:42:04 PM
Please go to Jotti's malware scan (http://virusscan.jotti.org/)
(If more than one file needs scanned they must be done separately and logs posted for each one)

* Copy the file path in the below Code box:
Code: [Select]
c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 05:43:42 PM
Also do you use any Norton software?

Quote
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 05:48:25 PM
No I'm not using any Norton software, I don't think I ever have on this laptop.
(Jotti's malware scan in progress)
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 05:54:40 PM
http://virusscan.jotti.org/en-gb/scanresult/fe6a9175644fc67b8bb3c3cf22614ddea05e1c44

Looks like VBA32 found SSCope.Trojan.Agent.084  :-\

Checked my add or remove programs, I definitely don't have Norton.
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 05:57:43 PM
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]
KillAll::

SecCenter::
{990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Kbdgui"=-


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

(http://img249.imageshack.us/img249/1218/cfscript1.gif)

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 06:17:26 PM
After re-booting, the IE icon was back on my desktop and IE had made itself the default brower, even though it was definitely set to Firefox before the re-boot! Is this anything to be concerned about?


ComboFix 10-02-20.03 - Kayley E R 21/02/2010   1:01.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.375 [GMT 0:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

(((((((((((((((((((((((((   Files Created from 2010-01-21 to 2010-02-21  )))))))))))))))))))))))))))))))
.

2010-02-20 18:24 . 2010-02-20 18:24   --------   d-----w-   c:\windows\system32\wbem\Repository
2010-02-19 22:30 . 2010-02-19 22:30   --------   d-----w-   c:\windows\system32\scripting
2010-02-19 22:30 . 2010-02-19 22:30   --------   d-----w-   c:\windows\l2schemas
2010-02-19 22:27 . 2010-02-19 22:31   --------   d-----w-   c:\windows\ServicePackFiles
2010-02-19 18:30 . 2004-08-04 00:56   116224   ----a-w-   c:\windows\system32\dllcache\xrxwiadr.dll
2010-02-19 18:30 . 2001-08-17 22:36   23040   ----a-w-   c:\windows\system32\dllcache\xrxwbtmp.dll
2010-02-19 18:30 . 2001-08-17 22:36   17408   ----a-w-   c:\windows\system32\dllcache\xrxscnui.dll
2010-02-19 18:30 . 2001-08-17 22:37   27648   ----a-w-   c:\windows\system32\dllcache\xrxftplt.exe
2010-02-19 18:30 . 2001-08-17 22:37   4608   ----a-w-   c:\windows\system32\dllcache\xrxflnch.exe
2010-02-19 18:29 . 2001-08-17 22:37   99865   ----a-w-   c:\windows\system32\dllcache\xlog.exe
2010-02-19 18:29 . 2001-08-17 12:11   16970   ----a-w-   c:\windows\system32\dllcache\xem336n5.sys
2010-02-19 18:29 . 2004-08-03 22:29   19455   ----a-w-   c:\windows\system32\dllcache\wvchntxx.sys
2010-02-19 18:29 . 2004-08-03 22:29   12063   ----a-w-   c:\windows\system32\dllcache\wsiintxx.sys
2010-02-19 18:29 . 2004-08-03 22:31   154624   ----a-w-   c:\windows\system32\dllcache\wlluc48.sys
2010-02-19 18:29 . 2001-08-17 12:12   34890   ----a-w-   c:\windows\system32\dllcache\wlandrv2.sys
2010-02-19 18:27 . 2001-08-17 12:13   19528   ----a-w-   c:\windows\system32\dllcache\w840nd.sys
2010-02-19 18:26 . 2001-08-17 13:28   793598   ----a-w-   c:\windows\system32\dllcache\usr1806.sys
2010-02-19 18:25 . 2001-08-17 22:36   216064   ----a-w-   c:\windows\system32\dllcache\um34scan.dll
2010-02-19 18:24 . 2001-08-17 14:02   230912   ----a-w-   c:\windows\system32\dllcache\tosdvd03.sys
2010-02-19 18:23 . 2001-08-17 14:07   32640   ----a-w-   c:\windows\system32\dllcache\symc8xx.sys
2010-02-19 18:22 . 2001-08-17 12:11   48736   ----a-w-   c:\windows\system32\dllcache\srwlnd5.sys
2010-02-19 18:21 . 2004-08-04 13:00   40448   ----a-w-   c:\windows\system32\dllcache\snmpthrd.dll
2010-02-19 18:20 . 2001-08-17 12:12   91294   ----a-w-   c:\windows\system32\dllcache\skfpwin.sys
2010-02-19 18:19 . 2001-07-21 14:29   161568   ----a-w-   c:\windows\system32\dllcache\sgsmusb.sys
2010-02-19 18:18 . 2001-08-17 13:51   23936   ----a-w-   c:\windows\system32\dllcache\sccmn50m.sys
2010-02-19 18:17 . 2004-08-04 13:00   79872   ----a-w-   c:\windows\system32\dllcache\rwia330.dll
2010-02-19 18:16 . 2001-08-17 13:28   899146   ----a-w-   c:\windows\system32\dllcache\r2mdkxga.sys
2010-02-19 18:15 . 2001-08-17 13:51   16128   ----a-w-   c:\windows\system32\dllcache\pscr.sys
2010-02-19 18:14 . 2001-08-17 22:36   86016   ----a-w-   c:\windows\system32\dllcache\pctspk.exe
2010-02-19 18:13 . 2001-08-17 14:05   48000   ----a-w-   c:\windows\system32\dllcache\ovcam2.sys
2010-02-19 18:12 . 2001-08-17 12:20   87040   ----a-w-   c:\windows\system32\dllcache\nm6wdm.sys
2010-02-19 18:12 . 2001-08-17 12:20   126080   ----a-w-   c:\windows\system32\dllcache\nm5a2wdm.sys
2010-02-19 18:12 . 2004-08-04 13:00   53248   ----a-w-   c:\windows\system32\dllcache\nextlink.dll
2010-02-19 18:12 . 2001-08-17 12:12   32840   ----a-w-   c:\windows\system32\dllcache\ngrpci.sys
2010-02-19 18:12 . 2004-08-03 22:31   132695   ----a-w-   c:\windows\system32\dllcache\netwlan5.sys
2010-02-19 18:12 . 2001-08-17 12:11   65278   ----a-w-   c:\windows\system32\dllcache\netflx3.sys
2010-02-19 18:12 . 2001-08-17 12:50   39264   ----a-w-   c:\windows\system32\dllcache\neo20xx.sys
2010-02-19 18:12 . 2001-08-17 22:36   60480   ----a-w-   c:\windows\system32\dllcache\neo20xx.dll
2010-02-19 18:12 . 2001-08-17 13:49   15872   ----a-w-   c:\windows\system32\dllcache\ne2000.sys
2010-02-19 18:11 . 2001-08-17 14:56   91488   ----a-w-   c:\windows\system32\dllcache\n9i3disp.dll
2010-02-19 18:11 . 2001-08-17 12:50   27936   ----a-w-   c:\windows\system32\dllcache\n9i3d.sys
2010-02-19 18:11 . 2001-08-17 12:50   33088   ----a-w-   c:\windows\system32\dllcache\n9i128v2.sys
2010-02-19 18:11 . 2001-08-17 22:36   59104   ----a-w-   c:\windows\system32\dllcache\n9i128v2.dll
2010-02-19 18:11 . 2001-08-17 12:50   13664   ----a-w-   c:\windows\system32\dllcache\n9i128.sys
2010-02-19 18:11 . 2001-08-17 14:56   35392   ----a-w-   c:\windows\system32\dllcache\n9i128.dll
2010-02-19 18:11 . 2001-08-17 12:11   128000   ----a-w-   c:\windows\system32\dllcache\n100325.sys
2010-02-19 18:09 . 2001-08-17 14:02   35200   ----a-w-   c:\windows\system32\dllcache\msgame.sys
2010-02-19 18:08 . 2001-08-17 22:36   47616   ----a-w-   c:\windows\system32\dllcache\memgrp.dll
2010-02-19 18:07 . 2001-08-17 12:12   20573   ----a-w-   c:\windows\system32\dllcache\lne100.sys
2010-02-19 18:06 . 2001-08-17 12:12   45632   ----a-w-   c:\windows\system32\dllcache\ip5515.sys
2010-02-19 18:05 . 2001-08-17 22:36   26624   ----a-w-   c:\windows\system32\dllcache\icam3ext.dll
2010-02-19 18:04 . 2001-08-17 13:28   488383   ----a-w-   c:\windows\system32\dllcache\hsf_v124.sys
2010-02-19 18:03 . 2001-08-17 22:36   31232   ----a-w-   c:\windows\system32\dllcache\hpgt42tk.dll
2010-02-19 18:02 . 2001-08-17 12:49   320384   ----a-w-   c:\windows\system32\dllcache\g200m.sys
2010-02-19 18:01 . 2001-08-17 12:12   16074   ----a-w-   c:\windows\system32\dllcache\fa312nd5.sys
2010-02-19 18:00 . 2001-08-17 12:19   283904   ----a-w-   c:\windows\system32\dllcache\emu10k1m.sys
2010-02-19 17:59 . 2001-08-17 12:11   29696   ----a-w-   c:\windows\system32\dllcache\dm9pci5.sys
2010-02-19 17:58 . 2001-08-17 13:52   14720   ----a-w-   c:\windows\system32\dllcache\dac960nt.sys
2010-02-19 17:57 . 2004-08-04 13:00   15872   ----a-w-   c:\windows\system32\dllcache\chgport.exe
2010-02-19 17:56 . 2001-08-17 13:51   13824   ----a-w-   c:\windows\system32\dllcache\bulltlp3.sys
2010-02-19 17:55 . 2004-08-03 22:29   104960   ----a-w-   c:\windows\system32\dllcache\atinrvxx.sys
2010-02-19 17:54 . 2004-08-03 22:32   231552   ----a-w-   c:\windows\system32\dllcache\ac97ali.sys
2010-02-19 17:53 . 2003-03-24 16:52   49210   ----a-w-   c:\windows\system32\dllcache\fp4areg.dll
2010-02-19 17:53 . 2003-03-24 16:52   147513   ----a-w-   c:\windows\system32\dllcache\fp4apws.dll
2010-02-19 17:53 . 2003-03-24 16:52   102509   ----a-w-   c:\windows\system32\dllcache\fp4atxt.dll
2010-02-19 17:53 . 2004-05-13 00:39   184435   ----a-w-   c:\windows\system32\dllcache\fp4amsft.dll
2010-02-19 17:53 . 2003-03-24 16:52   82035   ----a-w-   c:\windows\system32\dllcache\fp4anscp.dll
2010-02-19 17:53 . 2004-08-04 13:00   46592   ----a-w-   c:\windows\system32\dllcache\coadmin.dll
2010-02-19 17:53 . 2003-03-24 16:52   188480   ----a-w-   c:\windows\system32\dllcache\cfgwiz.exe
2010-02-19 17:53 . 2003-03-24 16:52   20540   ----a-w-   c:\windows\system32\dllcache\author.dll
2010-02-19 17:53 . 2003-03-24 16:52   16439   ----a-w-   c:\windows\system32\dllcache\author.exe
2010-02-19 17:53 . 2004-08-04 13:00   43520   ----a-w-   c:\windows\system32\dllcache\admwprox.dll
2010-02-19 17:53 . 2004-08-04 13:00   290816   ----a-w-   c:\windows\system32\dllcache\adsiis51.dll
2010-02-19 17:53 . 2003-03-24 16:52   16439   ----a-w-   c:\windows\system32\dllcache\admin.exe
2010-02-19 17:53 . 2003-03-24 16:52   20540   ----a-w-   c:\windows\system32\dllcache\admin.dll
2010-02-18 19:18 . 2010-02-18 19:18   --------   d-----w-   C:\_OTM
2010-02-18 01:43 . 2009-06-30 09:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-02-18 01:43 . 2010-02-18 01:43   --------   d-----w-   c:\program files\Panda Security
2010-02-18 01:09 . 2010-02-18 01:09   --------   d-----w-   c:\program files\ESET
2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-19 22:36 . 2004-08-07 13:12   91799   ----a-w-   c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-02-19 17:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ndis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\$NtServicePackUninstall$\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\ERDNT\cache\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\system32\dllcache\ndis.sys
[-] 2006-01-10 . AA898F84D2B59129FB92E143A2C73434 . 182528 . . [5.1.2600.2824] . . c:\windows\system32\drivers\ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB912436$\ndis.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\ERDNT\cache\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\system32\drivers\tcpip.sys
[-] 2006-01-13 . 5562CC0A47B2AEF06D3417B733F3C195 . 360448 . . [5.1.2600.2827] . . c:\windows\$hf_mig$\KB913446\SP2QFE\tcpip.sys
[-] 2006-01-13 . 583E063FDC888CA30D05C2724B0D7EF4 . 359808 . . [5.1.2600.2827] . . c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2005-05-25 . 63FDFEA54EB53DE2D863EE454937CE1E . 359936 . . [5.1.2600.2685] . . c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2005-05-25 . 88763A98A4C26C409741B4AA162720C9 . 359808 . . [5.1.2600.2685] . . c:\windows\$NtUninstallKB913446$\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893066$\tcpip.sys

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\netman.dll
[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\$NtServicePackUninstall$\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\ERDNT\cache\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\netman.dll
[-] 2005-08-22 . 36739B39267914BA69AD0610A0299732 . 197632 . . [5.1.2600.2743] . . c:\windows\system32\dllcache\netman.dll
[-] 2005-08-22 . 3516D8A18B36784B1005B950B84232E1 . 197632 . . [5.1.2600.2743] . . c:\windows\$hf_mig$\KB905414\SP2QFE\netman.dll
[7] 2004-08-04 . DAB9E6C7105D2EF49876FE92C524F565 . 198144 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB905414$\netman.dll

[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\rpcss.dll
[7] 2008-04-14 . 2589FE6015A316C0F5D5112B4DA7B509 . 399360 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\$NtServicePackUninstall$\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\ERDNT\cache\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\rpcss.dll
[-] 2005-07-26 . CE94A2BD25E3E9F4D46A7373FF455C6D . 397824 . . [5.1.2600.2726] . . c:\windows\system32\dllcache\rpcss.dll
[-] 2005-07-26 . C369DF215D352B6F3A0B8C3469AA34F8 . 398336 . . [5.1.2600.2726] . . c:\windows\$hf_mig$\KB902400\SP2QFE\rpcss.dll
[-] 2005-04-28 . DA383FB39A6F1C445F3AFC94B3EB1248 . 396288 . . [5.1.2600.2665] . . c:\windows\$hf_mig$\KB894391\SP2QFE\rpcss.dll
[-] 2005-04-28 . C8061F289E000703E7672916B7FE1571 . 395776 . . [5.1.2600.2665] . . c:\windows\$NtUninstallKB902400$\rpcss.dll
[-] 2005-01-14 . 419899803CA479B73B02390318C787C0 . 395776 . . [5.1.2600.2595] . . c:\windows\$NtUninstallKB894391$\rpcss.dll
[-] 2005-01-14 . 94456045BEB4545B5EBE1DCC85951AFA . 395776 . . [5.1.2600.2595] . . c:\windows\$hf_mig$\KB873333\SP2QFE\rpcss.dll
[7] 2004-08-04 . 5C83A4408604F737717AB96371201680 . 395776 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB873333$\rpcss.dll

[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\spoolsv.exe
[7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\spoolsv.exe
[-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\$NtServicePackUninstall$\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\ERDNT\cache\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\spoolsv.exe
[-] 2005-06-10 . DA81EC57ACD4CDC3D4C51CF3D409AF9F . 57856 . . [5.1.2600.2696] . . c:\windows\system32\dllcache\spoolsv.exe
[7] 2004-08-04 . 7435B108B935E42EA92CA94F59C8E717 . 57856 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896423$\spoolsv.exe

[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\asms\60\msft\windows\common\controls\comctl32.dll
[7] 2008-04-14 . BD38D1EBE24A46BD3EDA059560AFBA12 . 1054208 . . [6.0] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\asms\60\msft\windows\common\controls\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\comctl32.dll
[7] 2008-04-14 . 06F247492BC786CE5C24A23E178C711A . 617472 . . [5.82] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\$NtServicePackUninstall$\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\ERDNT\cache\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\comctl32.dll
[-] 2006-08-25 . B0124CB21D28B1C9F678B566B6B57D92 . 617472 . . [5.82] . . c:\windows\system32\dllcache\comctl32.dll
[7] 2004-08-04 . A77DFB85FAEE49D66C74DA6024EBC69B . 611328 . . [5.82] . . c:\windows\$NtUninstallKB923191$\comctl32.dll

[-] 2008-07-07 20:32 . 60D1A6342238378BFB7545C81EE3606C . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2gdr\es.dll
[-] 2008-07-07 20:26 . D4991D98F2DB73C60D042F1AEF79EFAE . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3gdr\es.dll
[-] 2008-07-07 20:23 . F17F6226BDC0CD5F0BEF0DAF84D29BEC . 253952 . . [2001.12.4414.706] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp3qfe\es.dll
[-] 2008-07-07 20:06 . A4AB3DCA4A383F0DF4988ABDEB84F9A4 . 253952 . . [2001.12.4414.320] . . c:\windows\SoftwareDistribution\Download\8cac00e8efc87d728c0261686f85c975\sp2qfe\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\es.dll
[7] 2008-04-14 00:11 . 19A799805B24990867B00C120D300C3A . 246272 . . [2001.12.4414.701] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\$NtServicePackUninstall$\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\ERDNT\cache\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\es.dll
[-] 2005-07-26 04:39 . 34BBD9ACC1538818F2C878898C64E793 . 243200 . . [2001.12.4414.308] . . c:\windows\system32\dllcache\es.dll
[-] 2005-07-26 04:20 . 95F5FEA4C6DE2C3F28784D0DCC8F0DD3 . 243200 . . [2001.12.4414.308] . . c:\windows\$hf_mig$\KB902400\SP2QFE\es.dll
[7] 2004-08-04 08:00 . ACD36A2DD7D1E9D8A060AA651DC07E63 . 243200 . . [2001.12.4414.258] . . c:\windows\$NtUninstallKB902400$\es.dll

[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\kernel32.dll
[7] 2008-04-14 . C24B983D211C34DA8FCC1AC38477971D . 989696 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\kernel32.dll
[-] 2006-07-05 . 0FDD84928A5DDE2510761B7EC76CCEC9 . 985088 . . [5.1.2600.2945] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\ERDNT\cache\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\backup\sp2gdr\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\SoftwareDistribution\Download\fc75a45b73372bd0c2a61e3a51d766ff\backup\sp2qfe\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\kernel32.dll
[-] 2006-07-05 . D8DB5397DE07577C1CB50BA6D23B3AD4 . 984064 . . [5.1.2600.2945] . . c:\windows\system32\dllcache\kernel32.dll
[7] 2004-08-04 . 888190E31455FAD793312F8D087146EB . 983552 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB917422$\kernel32.dll

[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\linkinfo.dll
[7] 2008-04-14 . 2DC5A8019E2387987905F77C664E4BE2 . 19968 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\linkinfo.dll
[-] 2005-09-01 . 648BF0B4DDE4F7A1156DAE7174D36EFA . 19968 . . [5.1.2600.2751] . . c:\windows\$hf_mig$\KB900725\SP2QFE\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\$NtServicePackUninstall$\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\ERDNT\cache\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\linkinfo.dll
[-] 2005-09-01 . A1A688EE56CF3BBD24EDEB815D48E9BA . 19968 . . [5.1.2600.2751] . . c:\windows\system32\dllcache\linkinfo.dll
[7] 2004-08-04 . C2BBD044C741EA4292016C36F718D2E4 . 18944 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB900725$\linkinfo.dll

[-] 2008-08-14 . 31914172342BFF330063F343AC6958FE . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntoskrnl.exe
[-] 2008-08-14 . EEAF32F8E15A24F62BECB1BD403BB5C5 . 2189184 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntoskrnl.exe
[-] 2008-08-14 . 21C91DA9CB53AA8A37041BA9684A8458 . 2180352 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntoskrnl.exe
[-] 2008-08-14 . CE69DBD54221F2D40E49FF6DB77C6507 . 2185984 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntoskrnl.exe
[7] 2008-04-13 . 0C89243C7C3EE199B96FCC16990E0679 . 2188928 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntoskrnl.exe
[-] 2005-10-12 . 7B69EA89C7B9966BF552A070D97C5013 . 2180096 . . [5.1.2600.2774] . . c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2005-10-12 . 7B69EA89C7B9966BF552A070D97C5013 . 2180096 . . [5.1.2600.2774] . . c:\windows\system32\dllcache\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\ERDNT\cache\ntoskrnl.exe
[-] 2005-10-12 . C5290E302241594B668A378D89FD903E . 2136064 . . [5.1.2600.2774] . . c:\windows\system32\ntoskrnl.exe
[-] 2005-09-29 . 25C36DBC46E8EFF2A811769A60715AC5 . 2136064 . . [5.1.2600.2765] . . c:\windows\$NtUninstallKB909095$\ntoskrnl.exe
[-] 2005-03-02 . 28187802B7C368C0D3AEF7D4C382AABB . 2179456 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[7] 2004-08-04 . 626309040459C3915997EF98EC1C8D40 . 2148352 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896256$\ntoskrnl.exe

[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\tapisrv.dll
[7] 2008-04-14 . 3CB78C17BB664637787C9A1C98F79C38 . 249856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tapisrv.dll
[-] 2005-07-08 . 1418A3A6E76E5A2E3F5E43866E793A8B . 249344 . . [5.1.2600.2716] . . c:\windows\$hf_mig$\KB893756\SP2QFE\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\$NtServicePackUninstall$\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\ERDNT\cache\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\tapisrv.dll
[-] 2005-07-08 . FB78839B36025AA286A51289ED28B73E . 249344 . . [5.1.2600.2716] . . c:\windows\system32\dllcache\tapisrv.dll
[7] 2004-08-04 . EB4A4187D74A8EFDCBEA3EA2CB1BDFBD . 246272 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB893756$\tapisrv.dll

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\user32.dll
[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\ERDNT\cache\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\system32\dllcache\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll

[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\srsvc.dll
[7] 2008-04-14 . 3805DF0AC4296A34BA4BF93B346CC378 . 171008 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\$NtServicePackUninstall$\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\ERDNT\cache\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\system32\srsvc.dll
[-] 2004-11-17 . 902CF9595F640E53F33C0F1637F464F9 . 171008 . . [5.1.2600.2567] . . c:\windows\system32\dllcache\srsvc.dll
[7] 2004-08-04 . 92BDF74F12D6CBEC43C94D4B7F804838 . 170496 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB888402$\srsvc.dll

[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\aec.sys
[7] 2008-04-13 16:39 . 8BED39E3C35D6A489438B8141717A557 . 142592 . . [5.1.2601.3142] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\aec.sys
[-] 2006-02-15 00:30 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\$NtServicePackUninstall$\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\Driver Cache\i386\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\ERDNT\cache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\dllcache\aec.sys
[-] 2006-02-15 00:22 . 1EE7B434BA961EF845DE136224C30FEC . 142464 . . [5.1.2601.2180] . . c:\windows\system32\drivers\aec.sys
[7] 2004-08-04 05:39 . 841F385C6CFAF66B58FBD898722BB4F0 . 142464 . . [5.1.2601.2078] . . c:\windows\$NtUninstallKB900485$\aec.sys

[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\mfc40u.dll
[7] 2008-04-14 00:11 . CDDD4416B2B4C7295FE3FDB6DDE57E4E . 927504 . . [4.1.0.61] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\$NtServicePackUninstall$\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\ERDNT\cache\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\mfc40u.dll
[-] 2004-08-04 08:00 . DDF8D47ACF8FC3FE5F7F2B95C4D4D136 . 924432 . . [4.1.6140] . . c:\windows\system32\dllcache\mfc40u.dll

[-] 2008-08-14 . A25E9B86EFFB2AF33BF51E676B68BFB0 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3QFE\ntkrnlpa.exe
[-] 2008-08-14 . 4AC58F03EB94A72809949D757FC39D80 . 2066048 . . [5.1.2600.5657] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP3GDR\ntkrnlpa.exe
[-] 2008-08-14 . BA002228743B6824D87F0551DBC86D45 . 2057728 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2GDR\ntkrnlpa.exe
[-] 2008-08-14 . 63EC865DFF6CCFC7BEF94B5C50297CAD . 2062976 . . [5.1.2600.3427] . . c:\windows\SoftwareDistribution\Download\e76b316b6389286fbb342d033e63f1ba\SP2QFE\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\ntkrnlpa.exe
[7] 2008-04-13 . 109F8E3E3C82E337BB71B6BC9B895D61 . 2065792 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[-] 2005-10-11 . DDBFA4EAE9251712F20193DD47B361BD . 2057344 . . [5.1.2600.2774] . . c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\ERDNT\cache\ntkrnlpa.exe
[-] 2005-10-11 . 0C691ECAD81707D3A7797512AC932C62 . 2015232 . . [5.1.2600.2774] . . c:\windows\system32\ntkrnlpa.exe
[-] 2005-10-11 . DDBFA4EAE9251712F20193DD47B361BD . 2057344 . . [5.1.2600.2774] . . c:\windows\system32\dllcache\ntkrnlpa.exe
[-] 2005-09-28 . 48472D224E1703882B4DE0E28E205E9B . 2015744 . . [5.1.2600.2765] . . c:\windows\$NtUninstallKB909095$\ntkrnlpa.exe
[-] 2005-03-02 . D8ABA3EAB509627E707A3B14F00FBB6B . 2056832 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[7] 2004-08-04 . FB142B7007CA2EEA76966C6C5CC12150 . 2015232 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB896256$\ntkrnlpa.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
"USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
"ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\AOL\\RC\\regClient.exe"=
"c:\\Program Files\\AOL 9.0a\\waol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [18/02/2010 01:43 28552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance   REG_MULTI_SZ      ASChannel
.
Contents of the 'Scheduled Tasks' folder

2010-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyServer = 127.0.0.1:8080
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-21 01:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll
c:\program files\HPQ\IAM\Bin\ASChnl.dll
c:\program files\HPQ\IAM\Bin\ItMsg.dll

- - - - - - - > 'explorer.exe'(432)
c:\program files\HPQ\IAM\Bin\SFSShell.dll
c:\program files\HPQ\IAM\bin\ItMsg.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\DllHost.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\HPQ\IAM\bin\asghost.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2010-02-21  01:15:42 - machine was rebooted
ComboFix-quarantined-files.txt  2010-02-21 01:15
ComboFix2.txt  2010-02-21 00:31
ComboFix3.txt  2010-02-18 00:47

Pre-Run: 17,696,894,976 bytes free
Post-Run: 17,673,748,480 bytes free

- - End Of File - - 464D16A82B2D35E9C2BCA84967086EA8
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 06:24:53 PM
Quote
After re-booting, the IE icon was back on my desktop and IE had made itself the default brower, even though it was definitely set to Firefox before the re-boot! Is this anything to be concerned about?

ComboFix sets IE as the default but I don't know why the icon keeps coming back. I don't think I've ever seen that before.

Let's see if it might be something malicious.


ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan (http://eset.com/onlinescan)

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 20, 2010, 06:52:35 PM
ESET is running successfully (unlike last time I tried it, quite a few posts ago by now!).

As it's almost 2am here and it looks like the scan's going to take another hour at least, I'm going to set my laptop to hibernate in 3 hours and get the results to you tomorrow morning (about 4am your time).

Thank you so much for all your help and patience so far  :)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 20, 2010, 06:54:47 PM
Glad it's running. Things went horribly wrong with the other scanner we used...  :-\

Post the log whenever you get the time.

See you then.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 21, 2010, 03:07:55 AM
Good morning! ESET scanned 100597 files in 1 hour 42 mins - No threats found.

I'm going to update AVG and JAVA, then install OnlineArmor. If that goes well, I'll create a restore point and then get SP3, so I can just do a system restore if I get internet problems with it again.

I'll make sure everything's definitely sorted before de-fragmenting, here's a new Hijackthis log just to be safe :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:40, on 21/02/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\UMStor\Res.EXE
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\lxcfcoms.exe
C:\Program Files\AVG\AVG8\avgupd.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [trayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcf_device -   - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE

--
End of file - 10661 bytes
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 21, 2010, 05:37:01 AM
I got as far as installing Online Armor, there are lots of 'unknown' programs its asking me to allow/block, however there is one 'untrusted' that I'm unable to find information about -

ACQTMAPP.exe (which is named Tilt Mouse Program.)

Should I block this?
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 21, 2010, 11:15:45 AM
Looks like it is not malicious. http://www.threatexpert.com/files/acqtmapp.exe.html
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 21, 2010, 04:06:03 PM
I've installed SP3 and 85 other Microsoft updates (and turned on automatic updates, so the next instalment should be much smaller!!)

Updated AVG and Java, and got OnlineArmor set up.

Here's a new HijackThis log, incase there's anything still lurking around.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:01:31, on 21/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\UMStor\Res.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [USB Storage Toolbox] C:\WINDOWS\UMStor\Res.EXE
O4 - HKLM\..\Run: [ACQTMOUSE] "C:\Program Files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [trayServer] C:\Program Files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0a\aoltray.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1266759427500
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1266760712406
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX® - C:\Program Files\MAGIX\Common\Database\bin\fbserver.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcf_device -   - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 12175 bytes
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 21, 2010, 04:22:19 PM
Looks okay. You can cut down on some of your unnecessary startups.


Download StartUp 1.3 (http://majorgeeks.com/StartUp_d4436.html)

* Open StartUp 1.3 and you will see a list of your startups.
* Right click any startup you do not want and choose Remove
* Once complete choose Apply then Exit

----------

If you don't use Voice Input you can turn that off. What is CTFMON.EXE and How Can I Remove It (http://www.computerhope.com/forum/index.php/topic,67445.0.html)

----------

Also this.

Download Disable/Remove Windows Messenger (http://www.majorgeeks.com/DisableRemove_Windows_Messenger_d2327.html) to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 21, 2010, 04:45:19 PM
All of the above now completed :) Am I done?

Could you recommend which anti-virus I should run in future? Currently I run AdAware and Spybot every month or so and just delete anything they flag, do you recommend I continue this or should I use a different program, bearing in mind that I'll just delete everything they warn me against?  :)
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 21, 2010, 04:49:24 PM
I would get rid of AdAware and use MBAM and SAS instead. Unless you buy any of them the real-time protection is pretty useless.

AVG should be fine for your antivirus.
Title: Re: Your system is infected! (Please help if you can)
Post by: KayleyBug on February 21, 2010, 04:52:16 PM
Ok :)

Wow, thank you so much for all your help, I'm really really grateful for all the time and patience you've put in to helping me! I thought my laptop was done for but now it's saved! I can't thank you enough :D
Title: Re: Your system is infected! (Please help if you can)
Post by: evilfantasy on February 21, 2010, 04:55:08 PM
Your welcome. 8)