Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Your system is infected! (Please help if you can)  (Read 38540 times)

0 Members and 1 Guest are viewing this topic.

KayleyBug

    Topic Starter


    Beginner

    Your system is infected! (Please help if you can)
    « on: February 16, 2010, 02:24:48 AM »
    My laptop suddenly acquired a virus which I think I got when my friend used it and opened a song attached to an email she had. Many programs won't open or run, for example Pain won't work but Word will open.
    Some sites make the internet close itself, for example AVG, and sometimes when I try to download anti-virus programs they won't load.
    I have tried the 6 steps advised, however I was unable to do some as the virus won't let me.

    Superantispyware, for example, won't install or open (it starts to load and then just disappears), and it won't let me update Java.

    The background of my desktop is permanently green with the message 'YOUR SYSTEM IS INFECTED! System has been stopped due to a serious malfunction. Spyware activity has been detected. It is recommended to use spyware removal tool to prevent data loss. Do not use the computer before all spyware removed.'
    The poor grammar gives it away as being fake. Also an icon appeared in my toolbar (I think that's what it's called? next to the battery symbol on the bottom right) that was round and red with a white X, that kept popping up and warning me that I had a trojan and to click it for anti-spyware. That was also part of the virus, I believe, and has stopped popping up since running some of the recommended programs, but the background is still the same.

    I will post the two logs I do have:

    Malwarebytes' Anti-Malware 1.44
    Database version: 3510
    Windows 5.1.2600 Service Pack 2 (Safe Mode)
    Internet Explorer 7.0.5730.13

    15/02/2010 23:13:56
    mbam-log-2010-02-15 (23-13-56).txt

    Scan type: Quick Scan
    Objects scanned: 119792
    Time elapsed: 4 minute(s), 12 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 5
    Registry Data Items Infected: 11
    Folders Infected: 1
    Files Infected: 17

    Memory Processes Infected:
    C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\z1jipsibfe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\naprav2 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sprecf.dll  -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\sprecf.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\rspgjclg\nmjgvydu.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\51.tmp (Trojan.Waledac) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\52.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\wpv771266066426.exe (Trojan.Waledac) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\lyesys32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Application Data\wiaserva.log (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\wpv231266168394.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\wpv421265883176.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\wpv851265213601.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\41.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.


    ******************************************************************



    Symantec W32.Netsky FixTool 1.13.0


    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\01\11-{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}-v1-{E4B48C66-6217-4F8A-B588-32CD3169E251}-v11-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\12\25-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v12-{E4B48C66-6217-4F8A-B588-32CD3169E251}-v25-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\13\13-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v13-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v13-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\14\14-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v14-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v14-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\15\15-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v15-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v15-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\16\16-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v16-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v16-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\17\17-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v17-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v17-Downloaded.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{E93D9B0A-9E3D-07AC-6A4B-33F3AED6B808}\18\18-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v18-{913F0070-4EE3-4BBC-A6AD-A44D8290110C}-v18-Partial.frx (WARNING: not scanned, path to long)
    C:\Documents and Settings\Administrator\My Documents\My Music\iTunes\iTunes Music\SCANDAL\BEST?SCANDAL: (not scanned)
    C:\Documents and Settings\Administrator\My Documents\My Music\iTunes\iTunes Music\??: (not scanned)
    C:\Program Files\Crayon Physics Deluxe: (not scanned)
    C:\Program Files\Deskshare: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\boards\standard: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\mus: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc192\sfx: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc193: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc194: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc195: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc196: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc197: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc198: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc199: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc200: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc201: (not scanned)
    C:\RECYCLER\S-1-5-21-893622875-1752805829-1147589580-500\Dc202: (not scanned)
    C:\System Recovery: (not scanned)
    C:\System Volume Information: (not scanned)
    E:\System Volume Information: (not scanned)
    W32.Netsky has not been found on your computer.


    Any help you can give me would be genuinely appreciated, I really need my laptop for uni and it's a nightmare at the moment because I can't do any work or use the internet as I'm scared it will steal my passwords! If there's anything on my laptop you're not happy about me having (e.g. something I've downloaded in the past and forgotten about so it's floating about somewhere) then I'll be happy to delete it immediately. Thank you so much in advance for your help.

    Kayley

    KayleyBug

      Topic Starter


      Beginner

      Re: Your system is infected! (Please help if you can)
      « Reply #1 on: February 16, 2010, 09:50:52 AM »
      I managed to get to my SUPERAntiSpyware log in Safe Mode (I realised that I'd managed to get it to do a scan last night, but since re-booting after the scan, it will no longer let me open the program.)

      I also attempted to install the new version of Java in Safe Mode. It tried to install and would have been successful but unfortunately it can't fully install when the computer is in Safe Mode. (As mentioned above, Java will not open or install or do anything when my laptop is in Normal mode.)  :-\

      Here's my SAS scan log, hopefully with all 3 logs you'll now be better equipped to spot any problems. Let me know if you need any further information, of course I understand that going through the logs will take up your time, and that you also have real life to be getting on with, so I appreciate that it will be a few hours/days before I get a response.

      SUPERAntiSpyware Scan Log
      http://www.superantispyware.com

      Generated 02/16/2010 at 00:42 AM

      Application Version : 4.33.1000

      Core Rules Database Version : 4446
      Trace Rules Database Version: 1978

      Scan type       : Complete Scan
      Total Scan Time : 01:13:47

      Memory items scanned      : 529
      Memory threats detected   : 0
      Registry items scanned    : 6045
      Registry threats detected : 3
      File items scanned        : 81982
      File threats detected     : 1

      Browser Hijacker.Internet Explorer Zone Hijack
         HKU\S-1-5-21-893622875-1752805829-1147589580-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com
         HKU\S-1-5-21-893622875-1752805829-1147589580-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\is-software-download25.com#http

      Adware.Tracking Cookie
         C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt

      Trojan.DNSChanger-Codec
         HKU\S-1-5-21-893622875-1752805829-1147589580-500\Software\uninstall

      evilfantasy

      • Malware Removal Specialist
      • Moderator


      • Genius
      • Calm like a bomb
      • Thanked: 489
      • Experience: Familiar
      • OS: Windows 10
      Re: Your system is infected! (Please help if you can)
      « Reply #2 on: February 17, 2010, 03:59:38 PM »
      If you already have ComboFix be sure to delete it and download a new copy.

      Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

      Link #1
      Link #2

      **Note:  It is important that it is saved directly to your Desktop

      Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

      Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
       
      Double click combofix.exe & follow the prompts.
      Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
      When finished ComboFix will produce a log for you.
      Post the ComboFix log in your next reply.

      Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

      Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

      If you have problems with ComboFix usage, see How to use ComboFix

      KayleyBug

        Topic Starter


        Beginner

        Re: Your system is infected! (Please help if you can)
        « Reply #3 on: February 17, 2010, 04:40:28 PM »
        Thank you so much for getting back to me.  :D
        Combofix wanted to download/install the 'Microsoft Windows recovery console' and I clicked yes but it didn't work, stating that I wasn't connected to the internet. However, I definitely was connected to the internet.  :-\
        I've done the scan, results below. Since using Combofix my desktop background is back to normal. I'm guessing the virus is still around though?
        I will leave my laptop on for now, and then set it to hibernate if I haven't heard back from you before I go to bed (in case I mess anything up before your next reply).



        ComboFix 10-02-12.01 - Kayley E R 17/02/2010  23:16:00.1.1 - x86
        Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.379 [GMT 0:00]
        Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
        AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
        FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
        FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

        WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
        .

        (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
        .

        c:\docume~1\ADMINI~1\LOCALS~1\Temp\21303429133.nls
        c:\documents and settings\Administrator\Application Data\Microsoft\Windows\import.ocx
        c:\documents and settings\Administrator\Application Data\Microsoft\Windows\jsdb.dll
        c:\documents and settings\Administrator\Application Data\Microsoft\Windows\mfximport.exe
        c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}
        c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome.manifest
        c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome\content\_cfg.js
        c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\chrome\content\overlay.xul
        c:\documents and settings\Administrator\Local Settings\Application Data\{1E6CC85C-AE83-4676-9C1C-B03438E4FBC4}\install.rdf
        c:\documents and settings\Administrator\Local Settings\Temp\21303429133.nls
        c:\recycler\S-1-5-21-1340307497-2614723990-4250122306-500
        c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
        c:\recycler\S-1-5-21-893622875-1752805829-1147589580-1014
        c:\windows\msacm32.drv
        c:\windows\rasqervy.dll
        c:\windows\sdfinacs.dll
        c:\windows\sdfixwcs.dll
        c:\windows\system32\11478.exe
        c:\windows\system32\15724.exe
        c:\windows\system32\18467.exe
        c:\windows\system32\19169.exe
        c:\windows\system32\23281.exe
        c:\windows\system32\24464.exe
        c:\windows\system32\26500.exe
        c:\windows\system32\26962.exe
        c:\windows\system32\28145.exe
        c:\windows\system32\29358.exe
        c:\windows\system32\5705.exe
        c:\windows\system32\6334.exe
        c:\windows\system32\IS15.exe
        c:\windows\system32\warning.html
        c:\windows\TEMP\21303429133.nls
        c:\windows\ubaxaroyuyevev.dll
        c:\windows\wuasirvy.dll

        .
        (((((((((((((((((((((((((   Files Created from 2010-01-17 to 2010-02-17  )))))))))))))))))))))))))))))))
        .

        2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
        2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
        2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
        2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
        2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
        2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
        2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
        2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
        2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
        2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
        2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8
        2010-02-04 11:54 . 2010-02-17 23:04   120   ----a-w-   c:\windows\Byipelozu.dat
        2010-02-04 11:54 . 2010-02-17 23:04   0   ----a-w-   c:\windows\Esuloso.bin

        .
        ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        2010-02-17 23:25 . 2007-05-28 20:32   9517290   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
        2010-02-16 16:25 . 2010-02-16 16:27   3221504   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
        2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
        2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
        2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
        2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
        2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
        2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
        2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
        2010-02-12 11:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
        2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
        2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
        2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
        2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
        2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
        2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
        .

        (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
        .
        .
        *Note* empty entries & legit default entries are not shown
        REGEDIT4

        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
        "Kbdgui"="c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat" [2010-02-16 123392]
        "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
        "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
        "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
        "USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
        "ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
        "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
        "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
        "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
        "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
        "TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
        "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
        "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
        "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
        "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
        "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

        [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
        "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

        c:\documents and settings\Administrator\Start Menu\Programs\Startup\
        Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

        c:\documents and settings\All Users\Start Menu\Programs\Startup\
        Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
        AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
        DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

        [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
        "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
        2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
        2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
        2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
        2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

        [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
        @="Service"

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
        "DisableMonitoring"=dword:00000001

        [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
        "DisableMonitoring"=dword:00000001

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
        "EnableFirewall"= 0 (0x0)

        [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
        "%windir%\\system32\\sessmgr.exe"=
        "c:\\WINDOWS\\system32\\mqsvc.exe"=
        "c:\\WINDOWS\\SMINST\\Scheduler.exe"=
        "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
        "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
        "c:\\Program Files\\AOL 9.0\\waol.exe"=
        "c:\\Program Files\\AOL\\RC\\regClient.exe"=
        "c:\\Program Files\\AOL 9.0a\\waol.exe"=
        "c:\\Program Files\\Messenger\\msmsgs.exe"=
        "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
        "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
        "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
        "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
        "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
        "c:\\Program Files\\iTunes\\iTunes.exe"=
        "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
        "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
        "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
        "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
        "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

        R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
        R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
        R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
        R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
        R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
        R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
        R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
        R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
        R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
        S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
        S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
        S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
        S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
        S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
        S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
        S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

        [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
        Cognizance   REG_MULTI_SZ      ASChannel
        .
        Contents of the 'Scheduled Tasks' folder

        2010-02-17 c:\windows\Tasks\MP Scheduled Scan.job
        - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
        .
        .
        ------- Supplementary Scan -------
        .
        uStart Page = hxxp://www.hp.com/
        uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
        uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
        uInternet Settings,ProxyServer = 127.0.0.1:8080
        uInternet Settings,ProxyOverride = local;*.local
        uSearchAssistant = hxxp://www.google.com/ie
        uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
        IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
        IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
        Trusted Zone: buy-internetsecurity10.com
        Trusted Zone: buy-is2010.com
        Trusted Zone: is-software-download.com
        Trusted Zone: is10-soft-download.com
        Trusted Zone: buy-internetsecurity10.com
        Trusted Zone: buy-is2010.com
        DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
        FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
        FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
        FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
        .
        - - - - ORPHANS REMOVED - - - -

        HKLM-Run-Ymigabobituyi - c:\windows\ubaxaroyuyevev.dll
        HKU-Default-RunOnce-RunNarrator - Narrator.exe
        AddRemove-Bonus Pack for Super DX-Ball Deluxe_is1 - c:\program files\Super DX-Ball Deluxe\unins001.exe
        AddRemove-CDisplay_is1 - c:\program files\CDisplay\unins000.exe
        AddRemove-Crayon Physics Deluxe_is1 - c:\program files\Crayon Physics Deluxe\unins000.exe
        AddRemove-Digital Media Converter_is1 - c:\program files\Deskshare\Digital Media Converter\unins000.exe
        AddRemove-Guitar Pro 4.0 - c:\progra~1\GUITAR~1\UNWISE.EXE
        AddRemove-Guitar Pro 5_is1 - c:\program files\Guitar Pro 5\unins000.exe
        AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
        AddRemove-LimeWire - c:\program files\LimeWire\uninstall.exe
        AddRemove-Pocket Tanks_is1 - c:\program files\Pocket Tanks\unins000.exe
        AddRemove-SpeedFan - c:\program files\SpeedFan\uninstall.exe
        AddRemove-Super DX-Ball Deluxe_is1 - c:\program files\Super DX-Ball Deluxe\unins000.exe
        AddRemove-Super DX-Ball_is1 - c:\program files\Super DX-Ball\unins000.exe



        **************************************************************************

        catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
        Rootkit scan 2010-02-17 23:26
        Windows 5.1.2600 Service Pack 2 NTFS

        scanning hidden processes ... 

        scanning hidden autostart entries ...

        HKLM\Software\Microsoft\Windows\CurrentVersion\Run
          LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

        scanning hidden files ... 

        scan completed successfully
        hidden files: 0

        **************************************************************************
        .
        --------------------- DLLs Loaded Under Running Processes ---------------------

        - - - - - - - > 'winlogon.exe'(928)
        c:\program files\SUPERAntiSpyware\SASWINLO.dll
        c:\windows\system32\Ati2evxx.dll
        c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
        c:\windows\system32\IfxWlxEN.dll
        c:\program files\HPQ\IAM\Bin\ASChnl.dll
        c:\program files\HPQ\IAM\Bin\ItMsg.dll

        - - - - - - - > 'explorer.exe'(1632)
        c:\program files\HPQ\IAM\Bin\SFSShell.dll
        c:\program files\HPQ\IAM\bin\ItMsg.dll
        c:\windows\system32\msi.dll
        .
        ------------------------ Other Running Processes ------------------------
        .
        c:\windows\system32\Ati2evxx.exe
        c:\windows\system32\DllHost.exe
        c:\windows\system32\msdtc.exe
        c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
        c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
        c:\program files\Bonjour\mDNSResponder.exe
        c:\windows\system32\IFXSPMGT.exe
        c:\windows\system32\IFXTCS.exe
        c:\program files\Common Files\LightScribe\LSSrvc.exe
        c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
        c:\progra~1\AVG\AVG8\avgrsx.exe
        c:\progra~1\AVG\AVG8\avgnsx.exe
        c:\windows\system32\wdfmgr.exe
        c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
        c:\windows\system32\mqsvc.exe
        c:\windows\system32\Ati2evxx.exe
        c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
        c:\program files\HPQ\IAM\bin\asghost.exe
        c:\windows\system32\mqtgsvc.exe
        c:\windows\system32\wscntfy.exe
        c:\program files\iPod\bin\iPodService.exe
        c:\program files\Common Files\Teleca Shared\Generic.exe
        c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
        .
        **************************************************************************
        .
        Completion time: 2010-02-17  23:32:55 - machine was rebooted
        ComboFix-quarantined-files.txt  2010-02-17 23:32

        Pre-Run: 20,770,365,440 bytes free
        Post-Run: 20,662,919,168 bytes free

        - - End Of File - - 9BCEE55D3BE4497A670308AA97C4A00D

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Re: Your system is infected! (Please help if you can)
        « Reply #4 on: February 17, 2010, 05:18:47 PM »
        Don't worry about the Recovery Console. You can skip that.


        1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
        It must be Notepad, not Wordpad.
        2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

        Code: [Select]
        KillAll::

        DDS::
        Trusted Zone: buy-internetsecurity10.com
        Trusted Zone: buy-is2010.com
        Trusted Zone: is-software-download.com
        Trusted Zone: is10-soft-download.com
        Trusted Zone: buy-internetsecurity10.com
        Trusted Zone: buy-is2010.com

        Firefox::
        FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

        File::
        c:\windows\Byipelozu.dat
        c:\windows\Esuloso.bin

        Folder::
        c:\program files\Viewpoint

        Registry::
        [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
        "Kbdgui"=


        3. Go to the Notepad window and click Edit > Paste
        4. Then click File > Save
        5. Name the file CFScript.txt - Save the file to your Desktop
        6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



        ComboFix will begin to execute, just follow the prompts.
        After reboot (in case it asks to reboot), it will produce a log for you.
        Post that log (Combofix.txt) in your next reply.

        Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

        ----------

        Please go to Start > Run and copy/paste the following blue text, then press Enter:

        C:\QooBox\Add-Remove Programs.txt

        A text file should open. Please post the contents of that file in your next reply.

        KayleyBug

          Topic Starter


          Beginner

          Re: Your system is infected! (Please help if you can)
          « Reply #5 on: February 17, 2010, 05:50:23 PM »
          New ComboFix log:


          ComboFix 10-02-12.01 - Kayley E R 18/02/2010   0:31.2.1 - x86
          Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.895.345 [GMT 0:00]
          Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
          Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
          AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
          FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
          FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

          WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

          FILE ::
          "c:\windows\Byipelozu.dat"
          "c:\windows\Esuloso.bin"
          .

          (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
          .

          c:\program files\Viewpoint
          c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\AxMetaStream_0305000D.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
          c:\program files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
          c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
          c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt
          c:\windows\Byipelozu.dat
          c:\windows\Esuloso.bin

          .
          (((((((((((((((((((((((((   Files Created from 2010-01-18 to 2010-02-18  )))))))))))))))))))))))))))))))
          .

          2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
          2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\program files\SUPERAntiSpyware
          2010-02-15 23:25 . 2010-02-15 23:25   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
          2010-02-15 22:38 . 2010-02-15 22:38   --------   d-----w-   c:\documents and settings\Administrator\Application Data\Malwarebytes
          2010-02-15 22:37 . 2010-01-07 16:07   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
          2010-02-15 22:37 . 2010-02-15 22:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
          2010-02-15 22:37 . 2010-01-07 16:07   19160   ----a-w-   c:\windows\system32\drivers\mbam.sys
          2010-02-15 22:37 . 2010-02-15 22:38   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
          2010-02-15 22:23 . 2010-02-15 22:23   --------   d-----w-   c:\program files\Trend Micro
          2010-02-15 19:28 . 2010-02-15 19:28   552   ----a-w-   c:\windows\system32\d3d8caps.dat
          2010-02-15 18:13 . 2010-02-15 18:13   --------   d-----w-   c:\documents and settings\Administrator\Application Data\AVG8

          .
          ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          2010-02-17 23:25 . 2007-05-28 20:32   9517290   ----a-w-   c:\windows\Internet Logs\tvDebug.zip
          2010-02-16 16:25 . 2010-02-16 16:27   3221504   ----a-w-   c:\windows\Internet Logs\xDB3.tmp
          2010-02-16 00:16 . 2009-05-17 14:44   --------   d-----w-   c:\program files\Xvid
          2010-02-16 00:16 . 2007-12-03 15:32   --------   d-----w-   c:\program files\USB Disk Win98 Driver
          2010-02-16 00:16 . 2006-07-11 06:12   --------   d-----w-   c:\program files\Windows Media Connect
          2010-02-15 23:26 . 2010-02-15 23:26   52224   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
          2010-02-15 23:26 . 2010-02-15 23:26   117760   ----a-w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
          2010-02-15 23:24 . 2010-01-17 12:44   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
          2010-02-15 23:13 . 2008-10-05 14:53   --------   d-----w-   c:\documents and settings\All Users\Application Data\rspgjclg
          2010-02-12 11:42 . 2009-08-09 14:42   0   ----a-w-   c:\documents and settings\Administrator\Local Settings\Application Data\prvlcl.dat
          2010-02-10 14:52 . 2007-01-09 11:46   --------   d-----w-   c:\program files\Lx_cats
          2010-01-17 12:46 . 2010-01-17 12:46   4   --sh--r-   c:\documents and settings\All Users\Application Data\sysqcl1129139270.dat
          2010-01-14 11:12 . 2009-10-04 16:01   181120   ------w-   c:\windows\system32\MpSigStub.exe
          2010-01-09 19:53 . 2008-07-31 11:38   --------   d-----w-   c:\program files\Windows Live Safety Center
          2009-05-01 21:02 . 2009-05-01 21:02   1044480   ----a-w-   c:\program files\mozilla firefox\plugins\libdivx.dll
          2009-05-01 21:02 . 2009-05-01 21:02   200704   ----a-w-   c:\program files\mozilla firefox\plugins\ssldivx.dll
          .

          (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
          .
          .
          *Note* empty entries & legit default entries are not shown
          REGEDIT4

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
          "Kbdgui"="c:\documents and settings\Administrator\Application Data\Adobe\Update\traykbd.dat" [2010-02-16 123392]
          "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2006-03-31 184320]
          "LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]
          "Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-03-28 593920]
          "USB Storage Toolbox"="c:\windows\UMStor\Res.EXE" [2005-09-14 65536]
          "ACQTMOUSE"="c:\program files\Multi-Direction Opitcal Mouse\Multi-Direction Opitcal Mouse\2.0\ACQTMAPP.exe" [2006-12-27 489984]
          "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
          "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
          "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-01 1932568]
          "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
          "TrayServer"="c:\program files\MAGIX\Movie_Edit_Pro_15_Download_version\TrayServer.exe" [2008-11-13 90112]
          "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
          "IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
          "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
          "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
          "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

          [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
          "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

          c:\documents and settings\Administrator\Start Menu\Programs\Startup\
          Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

          c:\documents and settings\All Users\Start Menu\Programs\Startup\
          Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
          AOL 9.0 Tray Icon.lnk - c:\program files\AOL 9.0a\aoltray.exe [2007-2-4 156784]
          DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2006-10-4 184320]

          [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
          "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
          2009-09-03 14:21   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
          2009-04-01 11:34   10520   ----a-w-   c:\windows\system32\avgrsstx.dll

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
          2006-03-03 15:08   434176   ----a-w-   c:\windows\system32\IfxWlxEN.dll

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
          2005-07-25 18:41   40960   ----a-w-   c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

          [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
          @="Service"

          [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
          "DisableMonitoring"=dword:00000001

          [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
          "DisableMonitoring"=dword:00000001

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
          "EnableFirewall"= 0 (0x0)

          [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
          "%windir%\\system32\\sessmgr.exe"=
          "c:\\WINDOWS\\system32\\mqsvc.exe"=
          "c:\\WINDOWS\\SMINST\\Scheduler.exe"=
          "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
          "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
          "c:\\Program Files\\AOL 9.0\\waol.exe"=
          "c:\\Program Files\\AOL\\RC\\regClient.exe"=
          "c:\\Program Files\\AOL 9.0a\\waol.exe"=
          "c:\\Program Files\\Messenger\\msmsgs.exe"=
          "c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
          "c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
          "c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
          "c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
          "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
          "c:\\Program Files\\iTunes\\iTunes.exe"=
          "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
          "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
          "c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
          "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
          "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

          R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [01/04/2009 11:34 325640]
          R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [01/04/2009 11:34 108552]
          R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [29/11/2005 16:56 36768]
          R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [05/01/2010 07:56 9968]
          R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05/01/2010 07:56 74480]
          R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [04/08/2004 08:00 14336]
          R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [01/04/2009 11:33 298264]
          R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 18:19 13592]
          R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [21/10/2005 11:19 36352]
          S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [16/05/2009 15:03 1527900]
          S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05/01/2010 07:56 7408]
          S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys [26/07/2005 10:13 57648]
          S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys [26/09/2007 13:34 8336]
          S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys [26/09/2007 13:34 93488]
          S3 z520mgmt;Sony Ericsson 520 USB WMC Device Management Drivers;c:\windows\system32\drivers\z520mgmt.sys [26/09/2007 13:35 84928]
          S3 z520obex;Sony Ericsson 520 USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\z520obex.sys [26/09/2007 13:34 82864]

          [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
          Cognizance   REG_MULTI_SZ      ASChannel
          .
          Contents of the 'Scheduled Tasks' folder

          2010-02-18 c:\windows\Tasks\MP Scheduled Scan.job
          - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
          .
          .
          ------- Supplementary Scan -------
          .
          uStart Page = hxxp://www.hp.com/
          uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
          uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
          uInternet Settings,ProxyServer = 127.0.0.1:8080
          uInternet Settings,ProxyOverride = local;*.local
          uSearchAssistant = hxxp://www.google.com/ie
          uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
          IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
          IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
          DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab
          FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\dlbu8v23.default\
          FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
          .
          - - - - ORPHANS REMOVED - - - -

          AddRemove-ViewpointMediaPlayer - c:\program files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe



          **************************************************************************

          catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
          Rootkit scan 2010-02-18 00:41
          Windows 5.1.2600 Service Pack 2 NTFS

          scanning hidden processes ... 

          scanning hidden autostart entries ...

          HKLM\Software\Microsoft\Windows\CurrentVersion\Run
            LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,[email protected]???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

          scanning hidden files ... 

          scan completed successfully
          hidden files: 0

          **************************************************************************
          .
          --------------------- DLLs Loaded Under Running Processes ---------------------

          - - - - - - - > 'winlogon.exe'(924)
          c:\program files\SUPERAntiSpyware\SASWINLO.dll
          c:\windows\system32\Ati2evxx.dll
          c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
          c:\windows\system32\IfxWlxEN.dll
          c:\program files\HPQ\IAM\Bin\ASChnl.dll
          c:\program files\HPQ\IAM\Bin\ItMsg.dll

          - - - - - - - > 'explorer.exe'(2852)
          c:\program files\HPQ\IAM\Bin\SFSShell.dll
          c:\program files\HPQ\IAM\bin\ItMsg.dll
          c:\windows\system32\msi.dll
          c:\docume~1\ADMINI~1\LOCALS~1\Temp\21303429133.nls
          .
          ------------------------ Other Running Processes ------------------------
          .
          c:\windows\system32\Ati2evxx.exe
          c:\windows\system32\DllHost.exe
          c:\windows\system32\Ati2evxx.exe
          c:\program files\HPQ\IAM\bin\asghost.exe
          c:\windows\system32\msdtc.exe
          c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
          c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
          c:\program files\Bonjour\mDNSResponder.exe
          c:\windows\system32\IFXSPMGT.exe
          c:\windows\system32\IFXTCS.exe
          c:\program files\Common Files\LightScribe\LSSrvc.exe
          c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
          c:\progra~1\AVG\AVG8\avgrsx.exe
          c:\progra~1\AVG\AVG8\avgnsx.exe
          c:\windows\system32\wdfmgr.exe
          c:\windows\system32\mqsvc.exe
          c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
          c:\windows\system32\mqtgsvc.exe
          c:\windows\system32\wscntfy.exe
          c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
          c:\program files\iPod\bin\iPodService.exe
          c:\program files\Common Files\Teleca Shared\Generic.exe
          c:\program files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
          .
          **************************************************************************
          .
          Completion time: 2010-02-18  00:47:24 - machine was rebooted
          ComboFix-quarantined-files.txt  2010-02-18 00:47
          ComboFix2.txt  2010-02-17 23:32

          Pre-Run: 20,634,279,936 bytes free
          Post-Run: 20,573,704,192 bytes free

          - - End Of File - - C9B4B339BA1545B0EE1ED5FEA0FACD2A



          ************************************************************

          Copy and paste blue text results:



          Ad-Aware SE Personal
          Adobe Bridge 1.0
          Adobe Common File Installer
          Adobe Flash Player 10 Plugin
          Adobe Flash Player 9 ActiveX
          Adobe Help Center 1.0
          Adobe Photoshop CS2
          Adobe Reader 7.0.9
          Adobe Shockwave Player
          Adobe Stock Photos 1.0
          AOL Coach Version 1.0(Build:20040229.1 uk)
          AOL Connectivity Services
          AOL Registration
          AOL Spyware Protection
          AOL Toolbar
          AOL UK (Choose which version to remove)
          AOL You've Got Pictures Screensaver
          Apple Mobile Device Support
          Apple Software Update
          Application Installer 4.00.B6
          ATI Catalyst Control Center
          ATI Display Driver
          Atomic Cannon Demo
          Audacity 1.2.6
          AVG 8.5
          Bonjour
          CCleaner (remove only)
          Comic Life
          Compatibility Pack for the 2007 Office system
          Cortona® VRML Client
          Disc2Phone
          DivX Web Player
          Firebird SQL Server - MAGIX Edition
          HDAUDIO Soft Data Fax Modem with SmartCP
          Hotfix for Windows XP (KB896243)
          Hotfix for Windows XP (KB896256)
          Hotfix for Windows XP (KB909095)
          Hotfix for Windows XP (KB910728)
          Hotfix for Windows XP (KB912436)
          Hotfix for Windows XP (KB914440)
          Hotfix for Windows XP (KB915326)
          Hotfix for Windows XP (KB915865)
          Hotfix for Windows XP (KB918005)
          HP Backup and Recovery Manager Installer
          HP BIOS Configuration for ProtectTools 2.00 G1
          HP Credential Manager for ProtectTools
          HP Embedded Security for ProtectTools
          HP Help and Support
          HP Notebook Accessories Product Tour
          HP ProtectTools Security Manager 2.00 C3
          HP Quick Launch Buttons 6.00 G2
          HP Update
          HP User Guides 0022
          HP Wireless Assistant 2.00 F1
          HpSdpAppCoreApp
          InterVideo DVD Check
          InterVideo WinDVD
          IrfanView (remove only)
          iTunes
          Learn2 Player (Uninstall Only)
          Lexmark 730 Series
          LightScribe  1.4.84.1
          MAGIX 3D Maker (embeded)
          MAGIX Movie Edit Pro 15 Download version 8.5.0.30 (UK)
          MAGIX Screenshare 4.3.6.1987 (UK)
          MAGIX Xtreme PhotoStory on CD & DVD 8 deluxe Download version 8.0.3.2 (UK)
          Malwarebytes' Anti-Malware
          Microsoft Application Error Reporting
          Microsoft Choice Guard
          Microsoft Internationalized Domain Names Mitigation APIs
          Microsoft National Language Support Downlevel APIs
          Microsoft Office Standard Edition 2003
          Microsoft Speech SDK 5.1
          Microsoft Text-to-Speech Engine 4.0 (English)
          Microsoft Visual C++ 2005 Redistributable
          Mozilla Firefox (3.5.7)
          MSVCRT
          MSXML 4.0 SP2 (KB927978)
          Multi-Direction Opitcal Mouse 2.0
          Power Tab Editor 1.7
          QuickTime
          RealPlayer
          Safari
          Security Update for Step By Step Interactive Training (KB898458)
          Security Update for Windows Internet Explorer 7 (KB950759)
          Security Update for Windows Media Player (KB911564)
          Security Update for Windows Media Player 10 (KB917734)
          Security Update for Windows Media Player 6.4 (KB925398)
          Security Update for Windows Media Player 9 (KB911565)
          Security Update for Windows XP (KB893066)
          Security Update for Windows XP (KB893756)
          Security Update for Windows XP (KB896358)
          Security Update for Windows XP (KB896422)
          Security Update for Windows XP (KB896423)
          Security Update for Windows XP (KB896424)
          Security Update for Windows XP (KB896428)
          Security Update for Windows XP (KB899587)
          Security Update for Windows XP (KB899591)
          Security Update for Windows XP (KB900725)
          Security Update for Windows XP (KB901017)
          Security Update for Windows XP (KB901190)
          Security Update for Windows XP (KB901214)
          Security Update for Windows XP (KB902400)
          Security Update for Windows XP (KB903235)
          Security Update for Windows XP (KB904706)
          Security Update for Windows XP (KB905414)
          Security Update for Windows XP (KB905749)
          Security Update for Windows XP (KB908519)
          Security Update for Windows XP (KB911562)
          Security Update for Windows XP (KB911927)
          Security Update for Windows XP (KB912919)
          Security Update for Windows XP (KB913446)
          Security Update for Windows XP (KB913580)
          Security Update for Windows XP (KB914388)
          Security Update for Windows XP (KB914389)
          Security Update for Windows XP (KB917344)
          Security Update for Windows XP (KB917422)
          Security Update for Windows XP (KB917953)
          Security Update for Windows XP (KB918439)
          Security Update for Windows XP (KB919007)
          Security Update for Windows XP (KB920213)
          Security Update for Windows XP (KB920670)
          Security Update for Windows XP (KB920683)
          Security Update for Windows XP (KB920685)
          Security Update for Windows XP (KB921398)
          Security Update for Windows XP (KB922616)
          Security Update for Windows XP (KB922819)
          Security Update for Windows XP (KB923191)
          Security Update for Windows XP (KB923414)
          Security Update for Windows XP (KB923689)
          Security Update for Windows XP (KB923694)
          Security Update for Windows XP (KB923980)
          Security Update for Windows XP (KB924191)
          Security Update for Windows XP (KB924270)
          Security Update for Windows XP (KB924496)
          Security Update for Windows XP (KB925454)
          Security Update for Windows XP (KB926255)
          Security Update for Windows XP (KB929969)
          Segoe UI
          Sonic Audio Module
          Sonic Copy Module
          Sonic Data Module
          Sonic DLA
          Sonic Express Labeler
          Sonic MyDVD Plus
          Sonic Update Manager
          Sony Ericsson PC Suite
          SoundMAX
          Spybot - Search & Destroy 1.4
          SUPERAntiSpyware Free Edition
          Synaptics Pointing Device Driver
          Texas Instruments PCIxx21/x515/xx12 drivers.
          TIPCI
          Update for Windows XP (KB894391)
          Update for Windows XP (KB896727)
          Update for Windows XP (KB898461)
          Update for Windows XP (KB900485)
          Update for Windows XP (KB904942)
          Update for Windows XP (KB908531)
          Update for Windows XP (KB910437)
          Update for Windows XP (KB911280)
          Update for Windows XP (KB912945)
          Update for Windows XP (KB916595)
          Update for Windows XP (KB920872)
          Update for Windows XP (KB922582)
          USB Disk Win98 Driver
          VC80CRTRedist - 8.0.50727.762
          VideoLAN VLC media player 0.8.6a
          Viewpoint Media Player
          WebFldrs XP
          Windows Defender
          Windows Driver Package - Advanced Micro Devices (AmdK8) Processor  (05/27/2006 1.3.2.0)
          Windows Genuine Advantage Validation Tool (KB892130)
          Windows Installer 3.1 (KB893803)
          Windows Installer Clean Up
          Windows Internet Explorer 7
          Windows Live Call
          Windows Live Communications Platform
          Windows Live Essentials
          Windows Live Messenger
          Windows Live OneCare safety scanner
          Windows Live Sign-in Assistant
          Windows Live Upload Tool
          Windows Media Connect
          Windows Media Format Runtime
          Windows Media Player 10
          Windows XP Hotfix - KB873333
          Windows XP Hotfix - KB873339
          Windows XP Hotfix - KB883667
          Windows XP Hotfix - KB884575
          Windows XP Hotfix - KB885250
          Windows XP Hotfix - KB885295
          Windows XP Hotfix - KB885464
          Windows XP Hotfix - KB885835
          Windows XP Hotfix - KB885836
          Windows XP Hotfix - KB885855
          Windows XP Hotfix - KB885884
          Windows XP Hotfix - KB886185
          Windows XP Hotfix - KB887472
          Windows XP Hotfix - KB888113
          Windows XP Hotfix - KB888239
          Windows XP Hotfix - KB888302
          Windows XP Hotfix - KB888402
          Windows XP Hotfix - KB889673
          Windows XP Hotfix - KB890859
          Windows XP Hotfix - KB891781
          Windows XP Hotfix - KB892559
          WinRAR archiver
          WinZip
          Xvid 1.1.3 final uninstall
          ZoneAlarm

          evilfantasy

          • Malware Removal Specialist
          • Moderator


          • Genius
          • Calm like a bomb
          • Thanked: 489
          • Experience: Familiar
          • OS: Windows 10
          Re: Your system is infected! (Please help if you can)
          « Reply #6 on: February 17, 2010, 05:58:50 PM »
          Sorry I missed something. But it's a quick fix.

          Go to Start > Run and type notepad.exe then click OK

          Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

          Code: [Select]
          REGEDIT4

          [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
          "Kbdgui"=-

          Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

          Delete the fixme.reg from the Desktop.

          ----------

          * Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
          * Now type Combofix /Uninstall in the runbox
          * Make sure there's a space between Combofix and /Uninstall
          * Then hit Enter

          * The above procedure will:
          * Delete the following:
          * ComboFix and its associated files and folders.
          * Reset the clock settings.
          * Hide file extensions, if required.
          * Hide System/Hidden files, if required.
          * Set a new, clean Restore Point.

          ----------

          Clean out your temporary internet files and temp files.

          Download TFC by OldTimer to your desktop.

          Double-click TFC.exe to run it.

          Note: If you are running on Vista, right-click on the file and choose Run As Administrator

          TFC will close all programs when run, so make sure you have saved all your work before you begin.

          * Click the Start button to begin the cleaning process.
          * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
          * Please let TFC run uninterrupted until it is finished.

          Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

          ----------

          ESET Online Scan

          Scan your computer with the ESET FREE Online Virus Scan

          * Click the ESET Online Scanner button.

          * For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
          * Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
          * Double click on the esetsmartinstaller_enu.exe icon on your desktop.
          * Place a check mark next to YES, I accept the Terms of Use.

          * Click the Start button.
          * Accept any security warnings from your browser.
          * Leave the check mark next to Remove found threats and place a check next to Scan archives.
          * Click the Start button.
          * ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
          * When the scan completes, click List of found threats.
          * Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
          * Click the <<Back button then click Finish.

          In your next reply please include the ESET Online Scan Log

          KayleyBug

            Topic Starter


            Beginner

            Re: Your system is infected! (Please help if you can)
            « Reply #7 on: February 17, 2010, 06:19:36 PM »
            I managed everything else, however when I attempted to run ESET after saving it to desktop a box appears saying:

            Can not get update. Is proxy configured?
            ESET online scanner installation consists of three steps
            1. Component download
            2. Component registration
            3. Start

            Then there's a loading bar that's empty. Below that is a box to check saying 'Use custom proxy settings' and a link saying 'configure'. The Configure asks for my Proxy address, Port, Username and Password.
            When I click the start button at the bottom right of the box, the writing saying 'Can not get update. Is proxy configured?' changes to 'Downloading components...' for a split second and then goes back to the above description.

            Should I disable AVG? Is that what's blocking it?

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Re: Your system is infected! (Please help if you can)
            « Reply #8 on: February 17, 2010, 06:25:25 PM »
            I had something similar when I tried to use the download with Firefox. Try using the Internet Explorer scan.

            KayleyBug

              Topic Starter


              Beginner

              Re: Your system is infected! (Please help if you can)
              « Reply #9 on: February 17, 2010, 06:32:41 PM »
              Thank you, it worked fine on Internet Explorer.
              Unfortunately, I have no scan log show for it because it says 'No Threats Found'.
              Should I check 'uninstall application on close'?

              evilfantasy

              • Malware Removal Specialist
              • Moderator


              • Genius
              • Calm like a bomb
              • Thanked: 489
              • Experience: Familiar
              • OS: Windows 10
              Re: Your system is infected! (Please help if you can)
              « Reply #10 on: February 17, 2010, 06:34:19 PM »
              There is no way the scan finished that fast. Did you adjust any of the settings for the scan?

              KayleyBug

                Topic Starter


                Beginner

                Re: Your system is infected! (Please help if you can)
                « Reply #11 on: February 17, 2010, 06:38:22 PM »
                I didn't change any settings except to check 'scan archives', but I went back to it to do another scan and realised that 'Scan for potentially unsafe applications' is already un-checked. Should I check that? I'm also going to disable Zone Alarm and AVG.

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                Re: Your system is infected! (Please help if you can)
                « Reply #12 on: February 17, 2010, 06:40:29 PM »
                Let's try another scanner. That was just way too fast.


                Scan your computer with Panda ActiveScan

                * Once you are on the Panda site click the Scan your PC now button.
                * A new window will open...click the Scan Now button.
                * If it wants to install an ActiveX component allow it.
                * It will start downloading the files it requires for the scan. (Note: It may take a couple of minutes)
                * You may get a warning from Internet Explorer that Panda is ready to install, please allow it.
                * The scan will begin. Please be patient as it can take an hour or more to complete.
                * When the scan completes, if anything malicious is detected, click the Export to: button (looks like a little Notepad).
                * Save the ActiveScan.txt to a convenient location like your desktop.
                * Note: You do not need to select any of the Disinfect options. We will remove any threats manually.

                * Post the contents of the ActiveScan report in your next reply.

                KayleyBug

                  Topic Starter


                  Beginner

                  Re: Your system is infected! (Please help if you can)
                  « Reply #13 on: February 17, 2010, 06:56:58 PM »
                  Much more luck with the Panda scan, it's running now.
                  As it's 2am here in Wales and could be after 3am once it's done, I'm going to set my laptop to hibernate after 2 hours and let it run while I go to sleep.
                  I'll post the scan results in the morning although it'll be night time for you, so I understand I'm in for another wait  :)

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 489
                  • Experience: Familiar
                  • OS: Windows 10
                  Re: Your system is infected! (Please help if you can)
                  « Reply #14 on: February 17, 2010, 07:12:45 PM »
                  We can finish up whenever you get the time to. :)