Author Topic: Problem With Trojan-aax5 (Read 11949 times)

PixelOz · « **on:** August 31, 2010, 12:42:32 PM »

I'll start with a small summary of what I been doing to fix this PC:

I'm cleaning the viruses from this computer that belongs to a friend of my sister and I have cleaned several infections completely with tools like Mbam and Superantispyware which I ran twice to be sure that the infections were removed but I still have a problem with one.

The computer was in pretty bad shape when it was given to me, it had quite a few viruses (including a couple of dowloaders uffff!) and I couldn't even boot it at first cause there was a virus that was causing the computer to restart automatically so I entered Safe mode and worked from there until I was able to start it in normal mode after removing most viruses from it. I have disabled System Restore and has not turned it on yet.

After starting in normal mode there were still a few viruses left (one virus that infected a Windows file and was attempting to send a whole bunch of e-mails) and after some more work I was able to remove those viruses too and replace the damaged Windows file (ndis.sys) from outside Windows and I was able to stabilize it and I continued to work from there in normal mode until I removed most viruses and malware.

Most good anti-virus and anti-spyware programs are giving me a zero result in their scans now and that includes several like Mbam antimalware, SuperAntispyware, EsetNod32 online scan, BitDefender online scan etc. The PC was running Norton System works 2003 and I told her that she should upgrade the antivirus to a newer tool so I removed Norton and at the moment it is running with Avast free until further notice and the Avast scan also came completely negative.

The problem that I still have is that I ran the online Spysweeper tool from Webroot and it is indicating to me that the PC is infected with trojan-aax5. It says that it found this key in the registry.

HKU\S-1-5-21-2410742245-3193691662-3526516414\software\Microsoft\active setup\installed components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612}\

With some previous viruses I had to delete some keys from the registry and some files manually to remove them and I was successful. As you can see most antivirus software is giving me zero results but this key that Spysweeper indicated doesn't appear in the registry when I look for it and I cannot remove this virus from Spysweeper cause the free version doesn't do that.

This HKey_Users area HKU\S-1-5-21-2410742245-3193691662-3526516414 is not in the registry what I have is something similar:

HKU\S-1-5-21-2410742245-3193691662-3526516414-1009 but that value {28abc5c0-4fcb-11cf-aax5-81cx1c635612} is not there.

Is there something running in memory blocking this key? How can I remove this nasty from the PC? In one place where I read about this trojan it said that it also can block Windows from reporting that there are upgrades available for Windows and that it can also block Windows from reporting if the antivirus is out of date. The place said that it can also replace Windows Explorer with a copy.

This makes me suspect even more that the PC is indeed infected with this nasty cause I used the link in Internet Explorer to go to the Windows Update page to see if there were updates pending and there were 33 pending (about 72 megabytes of download).

This PC has been connected to the Internet for several days now and I have not seen one single Windows update message and the automatic feature is turned on which is very odd.

I would appreciate any help with this.

This is a Hijack This log that I just did with a brand new download of the software:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:42:38 PM, on 8/30/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\DOCUME~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Gladimir\Desktop\HijackThis.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: facemoods Helper - {64182481-4F71-486b-A045-B233BD0DA8FC} - C:\Program Files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
O2 - BHO: Windows Live Aplicación auxiliar de inicio de sesión - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: facemoods Toolbar - {DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - C:\Program Files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [LaunchApp] "Alaunch"
O4 - HKLM\..\Run: [IgfxTray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [HotKeysCmds] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [Persistence] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Alcmtr] "ALCMTR.EXE"
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [M3000Mnt] "Rundll32.exe" M3000Rmv.dll ,WinMainRmv /StartStillMnt
O4 - HKLM\..\Run: [LManager] "C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eRecoveryService] "C:\Acer\Empowering Technology\eRecovery\eRAgent.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [WebrootTrayApp] "C:\Program Files\Webroot\Security\Current\Framework\WRTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\AURORITA\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1235102563756
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...077/mcfscan.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - Invalid registry found
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Security\current\plugins\antimalware\AEI.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Security\Current\Framework\WRConsumerService.exe

--
End of file - 10390 bytes

Any ideas on how to remove this little sucker from my sisters friend computer?

PC is Acer Aspire One ZG5 notebook with Atom n270 CPU Processor running Windows XP Home with SP3.

SuperDave · « **Reply #1 on:** September 01, 2010, 04:45:58 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

You should never disable your System Restore. A bad restore point is better than none.
Please uninstall HJT. It's running from the incorrect location.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************
Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

PixelOz · « **Reply #2 on:** September 02, 2010, 08:00:25 PM »

Oh it was a small mistake in the installation of HJT but I corrected it, thanks for the heads up, I'll be more careful next time.

As for the System Restore well I didn't know. I had seen several people recommend disabling while trying to get some nastys out of their PCs and then restoring it afterwards but you said it is better just to never turn it off, if that is so it's OK with me. Anyway I had re-enabled it and it has created an automatic restore point as usual.

I will create a manual restore point after I get this virus out of the PC as I usually do and I'll name it something SystemRestoreAfterVirusClean with the date or something like that. I usually do that cause it works for me.

I'll be doing the recommended steps shortly and I'll post the results.

PixelOz · « **Reply #3 on:** September 03, 2010, 12:07:09 AM »

Here is the log of the first program. Notice that it indicates that the Acrobat Reader is out of date and that is because when I tried to update it the installer found a registry key that was blocked and this blocked key is one of several indicated in the ComboFix log and this prevented the installer from continuing:

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS

I canceled the installation and the installer started to undo the changes and during that process it mentioned another problem with another locked registry key that is also mentioned in the ComboFix log as you will see later:

HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL

Despite this the Acrobat installer was able to undo its changes and to finish.

Here is the first program log:

Results of screen317's Security Check version 0.99.5
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Free Antivirus
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Eusing Free Registry Cleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.0.45.2
Adobe Reader 9
Out of date Adobe Reader installed!
Mozilla Firefox (3.6.

````````````````````````````````
Process Check:
objlist.exe by Laurent
Webroot Security current plugins\antimalware\AEI.exe
Alwil Software Avast5 AvastSvc.exe
ALWILS~1 Avast5 avastUI.exe
Trend Micro HiJackThis HiJackThis.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

And here is the ComboFix log:

ComboFix 10-09-01.04 - Gladimir 09/03/2010 1:54.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.461 [GMT -3:00]
Running from: c:\documents and settings\Gladimir\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gladimir\g2mdlhlpx.exe
c:\documents and settings\NetworkService\Local Settings\Application Data\Bron.tok.A12.em.bin
c:\documents and settings\NetworkService\Local Settings\Application Data\Kosong.Bron.Tok.txt
c:\documents and settings\NetworkService\Local Settings\Application Data\ListHost12.txt
c:\program files\facemoods.com
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.crx
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.png
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsEng.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodssafe.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
c:\program files\facemoods.com\facemoods\1.3.61.8\uninstall.exe
c:\program files\Mozilla Firefox\extensions\[email protected]
c:\program files\Mozilla Firefox\extensions\[email protected]\chrome.manifest
c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFHst.dll
c:\program files\Mozilla Firefox\extensions\[email protected]\components\FFHst.xpt
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.css
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\facemoods.xul
c:\program files\Mozilla Firefox\extensions\[email protected]\content\fcmdDef.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\facemoods.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\fb.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\help_16.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\home.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\logo.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\moodsIcon.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\pref.jpg
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\privecy_16_hot.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\stripicons.png
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\tellafriend.gif
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\Thumbs.db
c:\program files\Mozilla Firefox\extensions\[email protected]\content\images\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\instlgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\Loader.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\mtrprt.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\newTabLgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\preferences.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\preferences.xul
c:\program files\Mozilla Firefox\extensions\[email protected]\content\preferences\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\prefman.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\script-compiler.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\Thumbs.db
c:\program files\Mozilla Firefox\extensions\[email protected]\content\utils.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\content\xmlhttprequester.js
c:\program files\Mozilla Firefox\extensions\[email protected]\content\xpiInstallLgc.js
c:\program files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\instlPref.js
c:\program files\Mozilla Firefox\extensions\[email protected]\defaults\preferences\vssver.scc
c:\program files\Mozilla Firefox\extensions\[email protected]\install.rdf
c:\program files\Mozilla Firefox\extensions\[email protected]\vssver.scc
c:\windows\regedit.com
c:\windows\system32\taskmgr.com
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-09-03 04:30 . 2009-12-19 16:26   57344   ----a-w-   c:\documents and settings\All Users\Application Data\Artweaver\1.0\Updater\Artweaver.exe
2010-09-03 04:30 . 2009-12-19 16:26   408576   ----a-w-   c:\documents and settings\All Users\Application Data\Artweaver\1.0\Updater\Update.dll
2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\program files\Artweaver 1.0
2010-09-03 02:48 . 2010-09-03 02:48   --------   d-----w-   c:\program files\Common Files\Java
2010-09-03 02:03 . 2010-09-03 02:03   388096   ----a-r-   c:\documents and settings\Gladimir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 02:02 . 2010-09-03 02:02   --------   d-----w-   c:\program files\Trend Micro
2010-09-02 00:56 . 2010-09-02 00:56   --------   d---a-w-   c:\windows\rundll16.exe
2010-09-02 00:56 . 2010-09-02 00:56   --------   d---a-w-   c:\windows\logo1_.exe
2010-09-01 22:45 . 2010-09-03 03:18   --------   d-----w-   c:\documents and settings\Gladimir\Local Settings\Application Data\Adobe
2010-09-01 20:47 . 2010-09-01 20:47   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Malwarebytes
2010-09-01 17:42 . 2010-09-01 17:42   692224   ---ha-w-   C:\SZKGFS.dat
2010-09-01 17:37 . 2010-09-01 17:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\SITEguard
2010-09-01 17:35 . 2010-09-01 17:35   --------   d-----w-   c:\program files\Common Files\iS3
2010-09-01 17:35 . 2010-09-03 01:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\STOPzilla!
2010-09-01 00:43 . 2010-09-01 00:52   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
2010-08-31 19:24 . 2010-08-31 19:26   5392374   ----a-w-   c:\windows\REGBK00.ZIP
2010-08-31 19:15 . 2010-08-31 19:15   --------   d---a-w-   c:\windows\VDLL.DLL
2010-08-31 19:15 . 2010-08-31 19:15   --------   d---a-w-   c:\windows\system32\runouce.exe
2010-08-31 19:15 . 2010-08-31 19:15   --------   d---a-w-   c:\windows\RUNDL132.EXE
2010-08-31 19:15 . 2010-08-31 19:15   --------   d---a-w-   c:\windows\logo_1.exe
2010-08-31 19:10 . 2010-08-31 19:10   632064   ----a-w-   c:\windows\system32\msvcr80.dll
2010-08-31 19:10 . 2010-08-31 19:10   554240   ----a-w-   c:\windows\system32\msvcp80.dll
2010-08-31 19:10 . 2010-08-31 19:10   34048   ----a-w-   c:\windows\system32\eEmpty.exe
2010-08-31 19:10 . 2008-04-15 03:00   135680   ----a-w-   c:\windows\system32\T.COM
2010-08-31 19:10 . 2008-04-15 03:00   146432   ----a-w-   c:\windows\R.COM
2010-08-31 19:10 . 2010-08-31 19:10   --------   d-----w-   c:\program files\Common Files\MicroWorld
2010-08-31 19:09 . 2010-08-31 19:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\MicroWorld
2010-08-31 18:59 . 2010-08-31 19:05   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Download Manager
2010-08-31 05:26 . 2010-08-31 05:32   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-08-30 23:53 . 2010-06-24 12:21   743424   -c----w-   c:\windows\system32\dllcache\iedvtool.dll
2010-08-30 22:18 . 2010-06-17 17:49   24496   ----a-w-   c:\windows\system32\drivers\sshrmd.sys
2010-08-30 22:18 . 2010-06-17 17:49   182056   ----a-w-   c:\windows\system32\drivers\ssidrv.sys
2010-08-30 22:18 . 2010-06-17 17:49   45072   ----a-w-   c:\windows\system32\drivers\ssfmonm.sys
2010-08-30 22:12 . 2010-08-16 18:20   3199328   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\WRInstall.exe
2010-08-30 22:12 . 2010-08-30 22:12   --------   d-----w-   c:\program files\Webroot
2010-08-30 22:11 . 2010-08-30 22:12   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}
2010-08-30 22:10 . 2010-08-16 18:07   121856   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-08-30 22:10 . 2010-08-16 18:18   385928   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-08-30 22:10 . 2010-08-16 18:18   433072   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-08-30 22:10 . 2010-08-16 18:17   1266336   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-08-30 22:10 . 2010-08-16 18:15   50984   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-08-30 22:10 . 2009-07-02 01:51   101888   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\mIDEFunc.dll\mEXEFunc.dll
2010-08-30 22:10 . 2010-08-16 18:13   3035616   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-08-30 20:31 . 2010-08-30 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\F-Secure
2010-08-30 05:16 . 2010-09-02 18:01   --------   d-----w-   c:\documents and settings\All Users\Application Data\Webroot
2010-08-30 05:13 . 2010-08-30 05:13   --------   d-----w-   c:\documents and settings\Gladimir\Local Settings\Application Data\PackageAware
2010-08-30 05:00 . 2010-06-28 20:37   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-08-30 05:00 . 2010-06-28 20:32   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-08-30 05:00 . 2010-06-28 20:33   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-08-30 05:00 . 2010-06-28 20:37   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-08-30 05:00 . 2010-06-28 20:32   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-08-30 05:00 . 2010-06-28 20:32   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-08-30 05:00 . 2010-06-28 20:32   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-08-30 04:59 . 2010-06-28 20:57   38848   ----a-w-   c:\windows\avastSS.scr
2010-08-30 04:59 . 2010-06-28 20:57   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-08-30 04:58 . 2010-08-30 04:58   --------   d-----w-   c:\program files\Alwil Software
2010-08-30 04:58 . 2010-08-30 04:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-29 05:02 . 2010-08-29 05:02   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-08-28 19:02 . 2010-08-30 23:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-28 07:28 . 2010-08-28 18:23   --------   d-----w-   c:\documents and settings\Gladimir\DoctorWeb
2010-08-27 21:36 . 2010-08-27 21:36   --------   d-----w-   c:\documents and settings\Gladimir\Local Settings\Application Data\Mozilla
2010-08-27 21:34 . 2010-08-27 21:34   --------   d-sh--w-   c:\documents and settings\Gladimir\PrivacIE
2010-08-27 21:33 . 2010-08-27 21:33   --------   d-sh--w-   c:\documents and settings\Gladimir\IECompatCache
2010-08-27 19:44 . 2010-08-27 19:44   503808   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcp71.dll
2010-08-27 19:44 . 2010-08-27 19:44   499712   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\jmc.dll
2010-08-27 19:44 . 2010-08-27 19:44   61440   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-sse.dll
2010-08-27 19:44 . 2010-08-27 19:44   348160   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcr71.dll
2010-08-27 19:44 . 2010-08-27 19:44   12800   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-d3d.dll
2010-08-27 19:36 . 2010-08-27 19:44   --------   d-----w-   c:\documents and settings\Gladimir\Local Settings\Application Data\Google
2010-08-27 19:36 . 2010-08-27 19:38   65720   ----a-w-   c:\documents and settings\Gladimir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-27 19:35 . 2010-08-27 19:35   --------   d-sh--w-   c:\documents and settings\Gladimir\IETldCache
2010-08-25 05:16 . 2008-04-14 00:50   182656   ------w-   c:\windows\system32\dllcache\ndis.sys
2010-08-25 05:15 . 2008-04-14 00:50   182656   ------w-   c:\windows\system32\drivers\ndis.sys
2010-08-22 00:28 . 2001-08-17 20:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2010-08-22 00:28 . 2001-08-17 20:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2010-08-22 00:28 . 2008-04-15 03:00   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2010-08-22 00:28 . 2008-04-15 03:00   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2010-08-21 13:44 . 2010-08-21 13:44   --------   d-sh--w-   c:\windows\system32\config\systemprofile\IETldCache
2010-08-21 13:43 . 2010-08-21 13:43   --------   d-sh--w-   c:\windows\system32\config\systemprofile\PrivacIE
2010-08-21 13:36 . 2010-09-01 05:24   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-08-21 10:35 . 2010-08-21 10:35   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-19 23:27 . 2010-08-20 04:34   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 19:52 . 2010-08-19 20:07   164   ----a-w-   c:\windows\install.dat
2010-08-19 16:44 . 2010-08-20 04:49   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-08-19 16:44 . 2010-08-20 04:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-18 00:30 . 2009-06-30 16:37   28552   ----a-w-   c:\windows\system32\drivers\pavboot.sys
2010-08-18 00:30 . 2010-08-18 00:30   --------   d-----w-   c:\program files\Panda Security
2010-08-17 18:45 . 2010-08-17 18:45   --------   d-----w-   c:\windows\McAfee.com
2010-08-17 13:09 . 2010-08-17 13:31   --------   d-----w-   c:\windows\BDOSCAN8
2010-08-17 05:30 . 2010-04-29 22:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-17 05:30 . 2010-08-17 05:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-17 05:30 . 2010-08-17 05:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 05:30 . 2010-04-29 22:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-17 00:46 . 2010-08-17 00:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-08-17 00:46 . 2010-08-17 00:47   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-17 00:12 . 2010-08-17 00:12   90112   ----a-w-   c:\windows\system32\YmsgCrypt.dll
2010-08-17 00:12 . 2010-08-17 00:12   139264   ----a-w-   c:\windows\system32\DartCertificate.dll
2010-08-17 00:12 . 2010-08-17 00:12   147456   ----a-w-   c:\windows\system32\DartSecure2.dll
2010-08-17 00:11 . 2010-08-17 00:12   212992   ----a-w-   c:\windows\system32\DartSock.dll
2010-08-16 23:59 . 2010-08-16 23:59   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2010-08-09 00:14 . 2010-08-12 01:34   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Loc.Mail.Bron.Tok
2010-08-09 00:13 . 2010-08-09 00:13   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Ok-SendMail-Bron-tok
2010-08-09 00:08 . 2008-04-15 03:00   221184   ----a-w-   c:\windows\system32\wmpns.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 04:18 . 2008-08-15 18:03   --------   d-----w-   c:\program files\Common Files\Adobe
2010-09-03 02:47 . 2010-07-10 23:13   --------   d-----w-   c:\program files\Java
2010-09-02 17:48 . 2010-09-02 17:48   344   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-09-01 02:21 . 2008-08-15 18:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-08-30 23:25 . 2010-03-11 04:44   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-08-29 02:34 . 2010-03-11 04:45   --------   d-----w-   c:\program files\Norton SystemWorks
2010-08-29 01:53 . 2010-03-11 04:45   --------   d-----w-   c:\program files\Symantec
2010-08-29 01:53 . 2010-03-11 04:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2010-08-21 10:23 . 2010-08-27 19:33   38784   ----a-w-   c:\documents and settings\Gladimir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-19 22:32 . 2010-05-27 08:54   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-19 21:37 . 2010-03-10 23:13   --------   d-----w-   c:\program files\Windows Media Connect 2
2010-07-17 08:00 . 2010-07-10 23:14   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-06 21:13 . 2010-05-22 17:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-06 21:13 . 2010-05-22 17:19   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-05 19:46 . 2010-03-01 01:16   --------   d-----w-   c:\program files\PhotoScape
2010-06-30 12:31 . 2008-04-15 03:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2007-08-14 01:54   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-15 03:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-15 03:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-15 03:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-15 03:00   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-15 03:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-08-27 19:44 . 2010-08-27 19:44   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-16 1266336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDExplo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDWIZARD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/17/2010 9:30 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2010 2:00 AM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 3:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2010 2:00 AM 17744]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [8/30/2010 7:18 PM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/16/2010 3:13 PM 3035616]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 1:01 PM 254976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/20/2009 3:30 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/20/2009 3:34 PM 96856]
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]

2010-09-03 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gladimir\Application Data\Mozilla\Firefox\Profiles\fedsd5fu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{64182481-4F71-486b-A045-B233BD0DA8FC} - c:\program files\facemoods.com\facemoods\1.3.61.8\facemoods.dll
Toolbar-Locked - (no file)
Toolbar-{DB4E9724-F518-4dfd-9C7C-78B52103CAB9} - c:\program files\facemoods.com\facemoods\1.3.61.8\facemoodsTlbr.dll
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
AddRemove-facemoods - c:\program files\facemoods.com\facemoods\1.3.61.8\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 02:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2064)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\docume~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2010-09-03 02:28:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-03 05:28

Pre-Run: 135,969,505,280 bytes free
Post-Run: 136,327,921,664 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8061CF69B3ECA7C8A1DBCCE9BFB07AE5

I don't know if this is related but I will mention it. When I was running one of the antispyware programs (I don't remember which one it was) one of them found a virus file that it said was a PDFexploit something.

I removed this and further scans did not reveal this particular virus anymore. I'm mentioning this to you cause I don't know if this particular virus could have blocked those keys that prevent Acrobat Reader from updating or if this is something else altogether.

It is not the first time that I ran across this blocked registry keys issue. In another computer that I handled once it was very severely infected in which case I was able to remove all viruses but one that was blocking a couple of registry keys also and with help from somebody from a forum similar to this by running a ComboFix script that he gave me a virus was removed and the keys were freed and I was able to delete them and the virus never came back. I guess that we could have a similar problem here.

Also I noticed that ComboFix removed all the parts of a program called Facemoods. I suspected this program as I suspect many addons and toolbars that you add to browsers. I personally don't like any kind of toolbars in my PCs and I don't install any cause they are mostly useless and a waste of browser window space without counting the problems that they sometimes create.

I had looked into the program on the web and I didn't find much of of a reference that indicated to me that it was a bad program and most antivirus programs don't say it is a bad program but if ComboFix removed it that is fine with me.

I don't like that smiley stuff in computers and I don't recommend them at all cause in my experience toolbars and smileys give a lot of problems so I don't install any unless they are separated graphic files such as .gif files but without any installer of any kind cause those smiley packages with installers are usually troublesome.

I know how bad those smileys from Smileys Central are for example but too many people install garbage like that and stuff like MyWebSearch in their PCs making just a mess.

Well anyway I put this here so if other people read this thread they learn more and become more careful with the stuff they put on their computers.

Oh I also want to mention that before all of this I had gone into the Control Panel and had changed the Windows Automatic Updates to notify me but download only with my permission. I do this in my computers to have the bandwith under my control but I always apply the updates very quickly when they are available, I'm always very responsible with this. For most other people I recommend that they leave this in automatic specially if they don't know much about PCs.

When I'm done with working with this PC I will change it back to fully automatic cause it is better for people that do not know too much about PCs like the owner of this mini laptop.

After doing that it seems to have reset the the Windows Update issue and I downloaded and updated Windows after the yellow shield appeared in the system tray. The computer asked for restart and the yellow shield appeared a couple times more with additional updates and after a couple of restarts Windows was done with all the updates so so far it seems to be working again as it should.

Keep in mind that this was after removing most viruses from the PC and there were plenty. I will keep an eye on this and also from my PCs to see if further update notices from Microsoft in my XP machines are reflected in this PC too as it should cause I also have an PC with XP Home in my house.

I also noticed that ComboFix detected the absence of the Recovery Console and it seems to have corrected this successfully. I will mention also that the sfc /scannow feature was not working when I started to fix this PC cause I tested that but after fixing many things and removing many viruses it has started to work again, I just can't use it normally as I do with other PCs cause this Acer laptop doesn't have a CD-ROM. This was all before starting this procedures from you.

I just wanted to give you as much info as possible to try to help you with this.

Anyway let's continue with the process. There you have the results so far.

PixelOz · « **Reply #4 on:** September 03, 2010, 12:21:29 AM »

I also want to tell you that I don't run any antivirus or antispyware software without checking its background carefully like several reviews in places like PCMagazine online and other info in many web sites and also checking them against lists of rogue antispyware programs.

Over the years I have learned which ones are good and can be trusted overall.

Anyway I won't run anything while we are doing this. I'm following your directions by the book.

SuperDave · « **Reply #5 on:** September 03, 2010, 03:46:00 PM »

We will clear your Restore points when I'm satisfied that the computer is clean just in case something is hiding there. Please be very careful when in the Registry that you don't change anything.

Registry cleaners (Eusing Free Registry Cleaner) are extremely powerful applications and their potential for harming your OS far outweighs any small potential for improving your computer's performance.

There are a number of them available and some are more safe than others. Keep in mind that no two registry cleaners work entirely the same way. Each vendor uses different criteria as to what constitutes a "bad" entry. One cleaner may find entries on your system that will not cause a problem when removed, another may not find the same entries, and still another may want to remove entries required for a program to work. Without research into what the registry entry selected for deletion is, a registry cleaner can end up being an automated method to cause problems with the registry.

For routine use by those not familiar with the registry, the benefits to your computer are negligible while the potential risks are great.

Further reading: XP Fixes Myth #1: Registry Cleaners
***************************************
Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:

Code: [Select]

c:\windows\REGBK00.ZIP
c:\windows\system32\eEmpty.exe

* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
**********************************
Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

File::
c:\windows\logo1_.exe
c:\windows\system32\runouce.exe
c:\windows\RUNDL132.EXE
c:\windows\logo_1.exe
c:\windows\VDLL.DLL
c:\windows\system32\T.COM
c:\windows\R.COM
Folder::
c:\windows\system32\T.COM
c:\windows\R.COM
DDS::
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

************************************

* Download the following tool: RootRepeal - Rootkit Detector
* Direct download link is here: RootRepeal.zip

* Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
* Click this link to see a list of such programs and how to disable them.

* Extract the program file to a new folder such as C:\RootRepeal
* Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button.
* Select ALL of the checkboxes and then click OK and it will start scanning your system.
* If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
* When done, click on Save Report
* Save it to the same location where you ran it from, such as C:RootRepeal
* Save it as rootrepeal.txt
* Then open that log and select all and copy/paste it back on your next reply please.
* Close RootRepeal.

PixelOz · « **Reply #6 on:** September 04, 2010, 02:54:53 PM »

Here are the addresses of the first two files scans:

http://virusscan.jotti.org/en/scanresult/e6852ba9f5888fca2f933434f3accef4b4eb4b49
http://virusscan.jotti.org/en/scanresult/b1128c2f49b2d1c2543fc22ed0c1b2aba36b7255/150ad70df8416dd28bc88abe502f9a8fea5a6d98

Here is the new ComboFix log:

ComboFix 10-09-03.02 - Gladimir 09/04/2010 7:35.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1012.530 [GMT -3:00]
Running from: c:\documents and settings\Gladimir\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gladimir\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Webroot AntiVirus with Spy Sweeper *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FILE ::
"c:\windows\logo_1.exe"
"c:\windows\logo1_.exe"
"c:\windows\R.COM"
"c:\windows\RUNDL132.EXE"
"c:\windows\system32\runouce.exe"
"c:\windows\system32\T.COM"
"c:\windows\VDLL.DLL"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\R.COM
c:\windows\system32\T.COM

.
((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.

2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Artweaver
2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\documents and settings\All Users\Application Data\Artweaver
2010-09-01 20:47 . 2010-09-01 20:47   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Malwarebytes
2010-09-01 17:37 . 2010-09-01 17:37   --------   d-----w-   c:\documents and settings\All Users\Application Data\SITEguard
2010-09-01 17:35 . 2010-09-03 01:50   --------   d-----w-   c:\documents and settings\All Users\Application Data\STOPzilla!
2010-08-31 19:09 . 2010-08-31 19:10   --------   d-----w-   c:\documents and settings\All Users\Application Data\MicroWorld
2010-08-31 18:59 . 2010-08-31 19:05   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\Download Manager
2010-08-30 22:11 . 2010-08-30 22:12   --------   dc-h--w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}
2010-08-30 20:31 . 2010-08-30 20:31   --------   d-----w-   c:\documents and settings\All Users\Application Data\F-Secure
2010-08-30 05:16 . 2010-09-04 08:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Webroot
2010-08-30 04:58 . 2010-08-30 04:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-08-28 19:02 . 2010-08-30 23:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-27 19:33 . 2008-10-15 21:02   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\InstallShield
2010-08-27 19:33 . 2008-08-15 18:10   --------   d-----w-   c:\documents and settings\Gladimir\Application Data\SiteAdvisor
2010-08-19 23:27 . 2010-08-20 04:34   --------   d---a-w-   c:\documents and settings\All Users\Application Data\TEMP
2010-08-19 16:44 . 2010-08-20 04:49   --------   d-----w-   c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-17 05:30 . 2010-08-17 05:30   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-17 00:46 . 2010-08-17 00:46   --------   d-----w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-03 04:28 . 2010-09-03 04:28   --------   d-----w-   c:\program files\Artweaver 1.0
2010-09-03 04:18 . 2008-08-15 18:03   --------   d-----w-   c:\program files\Common Files\Adobe
2010-09-03 02:48 . 2010-09-03 02:48   --------   d-----w-   c:\program files\Common Files\Java
2010-09-03 02:47 . 2010-07-10 23:13   --------   d-----w-   c:\program files\Java
2010-09-03 02:03 . 2010-09-03 02:03   388096   ----a-r-   c:\documents and settings\Gladimir\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-03 02:02 . 2010-09-03 02:02   --------   d-----w-   c:\program files\Trend Micro
2010-09-02 17:48 . 2010-09-02 17:48   344   ----a-w-   c:\windows\system32\drivers\kgpcpy.cfg
2010-09-01 17:42 . 2010-09-01 17:42   692224   ---ha-w-   C:\SZKGFS.dat
2010-09-01 17:35 . 2010-09-01 17:35   --------   d-----w-   c:\program files\Common Files\iS3
2010-09-01 05:24 . 2010-08-21 13:36   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-09-01 02:21 . 2008-08-15 18:22   --------   d-----w-   c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-01 00:52 . 2010-09-01 00:43   --------   d-----w-   c:\program files\Eusing Free Registry Cleaner
2010-08-31 19:26 . 2010-08-31 19:24   5392374   ----a-w-   c:\windows\REGBK00.ZIP
2010-08-31 19:10 . 2010-08-31 19:10   632064   ----a-w-   c:\windows\system32\msvcr80.dll
2010-08-31 19:10 . 2010-08-31 19:10   554240   ----a-w-   c:\windows\system32\msvcp80.dll
2010-08-31 19:10 . 2010-08-31 19:10   34048   ----a-w-   c:\windows\system32\eEmpty.exe
2010-08-31 19:10 . 2010-08-31 19:10   --------   d-----w-   c:\program files\Common Files\MicroWorld
2010-08-31 05:32 . 2010-08-31 05:26   --------   d-----w-   c:\program files\Windows Live Safety Center
2010-08-30 23:25 . 2010-03-11 04:44   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-08-30 22:12 . 2010-08-30 22:12   --------   d-----w-   c:\program files\Webroot
2010-08-30 04:58 . 2010-08-30 04:58   --------   d-----w-   c:\program files\Alwil Software
2010-08-29 05:02 . 2010-08-29 05:02   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys
2010-08-29 02:34 . 2010-03-11 04:45   --------   d-----w-   c:\program files\Norton SystemWorks
2010-08-29 01:53 . 2010-03-11 04:45   --------   d-----w-   c:\program files\Symantec
2010-08-29 01:53 . 2010-03-11 04:45   --------   d-----w-   c:\documents and settings\All Users\Application Data\Symantec
2010-08-27 19:44 . 2010-08-27 19:44   503808   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcp71.dll
2010-08-27 19:44 . 2010-08-27 19:44   499712   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\jmc.dll
2010-08-27 19:44 . 2010-08-27 19:44   61440   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-sse.dll
2010-08-27 19:44 . 2010-08-27 19:44   348160   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3ba235c4-n\msvcr71.dll
2010-08-27 19:44 . 2010-08-27 19:44   12800   ----a-w-   c:\documents and settings\Gladimir\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-43c9410f-n\decora-d3d.dll
2010-08-27 19:38 . 2010-08-27 19:36   65720   ----a-w-   c:\documents and settings\Gladimir\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-08-21 10:35 . 2010-08-21 10:35   --------   d-----w-   c:\program files\Common Files\Adobe AIR
2010-08-21 10:23 . 2010-08-27 19:33   38784   ----a-w-   c:\documents and settings\Gladimir\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-08-20 04:49 . 2010-08-19 16:44   --------   d-----w-   c:\program files\Spybot - Search & Destroy
2010-08-19 22:32 . 2010-05-27 08:54   1324   ----a-w-   c:\windows\system32\d3d9caps.dat
2010-08-19 21:37 . 2010-03-10 23:13   --------   d-----w-   c:\program files\Windows Media Connect 2
2010-08-19 20:07 . 2010-08-19 19:52   164   ----a-w-   c:\windows\install.dat
2010-08-18 00:30 . 2010-08-18 00:30   --------   d-----w-   c:\program files\Panda Security
2010-08-17 05:30 . 2010-08-17 05:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-08-17 00:47 . 2010-08-17 00:46   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-17 00:12 . 2010-08-17 00:12   90112   ----a-w-   c:\windows\system32\YmsgCrypt.dll
2010-08-17 00:12 . 2010-08-17 00:12   139264   ----a-w-   c:\windows\system32\DartCertificate.dll
2010-08-17 00:12 . 2010-08-17 00:12   147456   ----a-w-   c:\windows\system32\DartSecure2.dll
2010-08-17 00:12 . 2010-08-17 00:11   212992   ----a-w-   c:\windows\system32\DartSock.dll
2010-08-16 18:20 . 2010-08-30 22:12   3199328   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\WRInstall.exe
2010-08-16 18:18 . 2010-08-30 22:10   385928   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\54E229FA\DE0A17F3\WRInstallProgressHelper.dll
2010-08-16 18:18 . 2010-08-30 22:10   433072   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\FA6F4296\DE0A17F3\WRSvcAssist.exe
2010-08-16 18:17 . 2010-08-30 22:10   1266336   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\B2785152\DE0A17F3\WRTray.exe
2010-08-16 18:15 . 2010-08-30 22:10   50984   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\C3BEFA\DE0A17F3\WRConsumerServicePS.dll
2010-08-16 18:13 . 2010-08-30 22:10   3035616   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\E3131F5C\DE0A17F3\WRConsumerService.exe
2010-08-16 18:07 . 2010-08-30 22:10   121856   -c--a-w-   c:\documents and settings\All Users\Application Data\{966933BB-610A-4824-8F02-D3D944597816}\OFFLINE\EA369C90\DE0A17F3\xmllite.dll
2010-07-17 08:00 . 2010-07-10 23:14   423656   ----a-w-   c:\windows\system32\deployJava1.dll
2010-07-06 21:13 . 2010-05-22 17:21   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2010-07-06 21:13 . 2010-05-22 17:19   --------   d-----w-   c:\program files\Common Files\Apple
2010-06-30 12:31 . 2008-04-15 03:00   149504   ----a-w-   c:\windows\system32\schannel.dll
2010-06-28 20:57 . 2010-08-30 04:59   38848   ----a-w-   c:\windows\avastSS.scr
2010-06-28 20:57 . 2010-08-30 04:59   165032   ----a-w-   c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2010-08-30 05:00   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-08-30 05:00   165456   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2010-08-30 05:00   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2010-08-30 05:00   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2010-08-30 05:00   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-08-30 05:00   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2010-08-30 05:00   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-06-24 12:22 . 2007-08-14 01:54   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2008-04-15 03:00   1851904   ----a-w-   c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-15 03:00   354304   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-06-17 17:49 . 2010-08-30 22:18   24496   ----a-w-   c:\windows\system32\drivers\sshrmd.sys
2010-06-17 17:49 . 2010-08-30 22:18   182056   ----a-w-   c:\windows\system32\drivers\ssidrv.sys
2010-06-17 17:49 . 2010-08-30 22:18   45072   ----a-w-   c:\windows\system32\drivers\ssfmonm.sys
2010-06-17 14:03 . 2008-04-15 03:00   80384   ----a-w-   c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-15 03:00   744448   ----a-w-   c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-15 03:00   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2010-08-27 19:44 . 2010-08-27 19:44   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-28 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-28 137752]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-16 16862720]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-17 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-25 1044480]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-15 208952]
"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2008-05-14 821768]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2008-05-22 425984]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"WebrootTrayApp"="c:\program files\Webroot\Security\Current\Framework\WRTray.exe" [2010-08-16 1266336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2008-6-4 114688]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDExplo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ontrack\\PowerDesk\\PDWIZARD.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowRedirect"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/17/2010 9:30 PM 28552]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/30/2010 2:00 AM 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 3:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 3:41 PM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/30/2010 2:00 AM 17744]
R2 SSFMONM;Spy Sweeper File System Filter Driver;c:\windows\system32\drivers\ssfmonm.sys [8/30/2010 7:18 PM 45072]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Security\Current\Framework\WRConsumerService.exe [8/16/2010 3:13 PM 3035616]
R3 M3000Srv;Acer Crystal Eye webcam Driver;c:\windows\system32\drivers\M3000KNT.sys [5/5/2008 1:01 PM 254976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/16/2010 2:26 PM 135664]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2/20/2009 3:30 PM 30192]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2/20/2009 3:34 PM 96856]
.
Contents of the 'Scheduled Tasks' folder

2010-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 18:50]

2010-09-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-16 17:26]

2010-09-04 c:\windows\Tasks\User_Feed_Synchronization-{479C7E99-7F92-404A-A968-D4AB250DDB21}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Gladimir\Application Data\Mozilla\Firefox\Profiles\fedsd5fu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://start.facemoods.com/results.php?f=5&a=wbst&q=
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-04 07:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@DACL=(02 0000)
@SACL=
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1984)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Security\current\plugins\antimalware\AEI.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
c:\docume~1\Gladimir\LOCALS~1\Temp\RtkBtMnt.exe
.
**************************************************************************
.
Completion time: 2010-09-04 08:07:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-04 11:07
ComboFix2.txt 2010-09-03 05:28

Pre-Run: 136,135,667,712 bytes free
Post-Run: 136,135,733,248 bytes free

- - End Of File - - 05C16ABB34E21D9070BFD6330EA3CC9A

Here is the RootRepeal log:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/09/04 17:51
Program Version:      Version 1.3.5.0
Windows Version:      Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xA8F7C000   Size: 31744   File Visible: No   Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF7587000   Size: 60416   File Visible: No   Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA981E000   Size: 98304   File Visible: No   Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A23000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: Fastfat.SYS
Image Path: C:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xA7CF5000   Size: 143744   File Visible: -   Signed: -
Status: Hidden from the Windows API!

Name: hiber_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\hiber_WMILIB.SYS
Address: 0xF79ED000   Size: 8192   File Visible: No   Signed: -
Status: -

Name: mbr.sys
Image Path: C:\DOCUME~1\Gladimir\LOCALS~1\Temp\mbr.sys
Address: 0xF785F000   Size: 20864   File Visible: No   Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF726C000   Size: 574976   File Visible: -   Signed: -
Status: Hidden from the Windows API!

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF7A69000   Size: 7872   File Visible: No   Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7DE9000   Size: 49152   File Visible: No   Signed: -
Status: -

Name: tcpip.sys
Image Path: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xA9A29000   Size: 361600   File Visible: -   Signed: -
Status: Hidden from the Windows API!

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

SSDT
-------------------
#: 017   Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1eb8

#: 025   Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dcd2

#: 041   Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987db8e

#: 047   Function Name: NtCreateProcess
Status: Hooked by "<unknown>" at address 0x86bbf290

#: 048   Function Name: NtCreateProcessEx
Status: Hooked by "<unknown>" at address 0x86bbf218

#: 053   Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x86b5c240

#: 063   Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e142

#: 065   Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e06c

#: 068   Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d764

#: 119   Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dc68

#: 122   Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d6a4

#: 128   Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987d708

#: 177   Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd88

#: 180   Function Name: NtQueueApcThread
Status: Hooked by "<unknown>" at address 0x86bd1f30

#: 186   Function Name: NtReadVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1dc8

#: 192   Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987e210

#: 204   Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dd48

#: 213   Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x86bd1020

#: 226   Function Name: NtSetInformationKey
Status: Hooked by "<unknown>" at address 0x86ba3200

#: 228   Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x86bc4250

#: 229   Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x86b5c150

#: 247   Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xa987dec8

#: 253   Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x86b5c2b8

#: 254   Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x86bd1fa8

#: 257   Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x86bc42c8

#: 258   Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x86b5c1c8

#: 277   Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x86bd1e40

Stealth Objects
-------------------
Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE]
Process: System   Address: 0x85c4ab70   Size: 1169

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_NAMED_PIPE]
Process: System   Address: 0x85c4b150   Size: 2695

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLOSE]
Process: System   Address: 0x85c3fce0   Size: 111

Object: Hidden Code [Driver: Tcpip, IRP_MJ_READ]
Process: System   Address: 0x85df2448   Size: 1371

Object: Hidden Code [Driver: Tcpip, IRP_MJ_WRITE]
Process: System   Address: 0x86883680   Size: 2433

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_INFORMATION]
Process: System   Address: 0x85fe54a0   Size: 2912

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_INFORMATION]
Process: System   Address: 0x86883ce8   Size: 793

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_EA]
Process: System   Address: 0x85c497d0   Size: 1459

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_EA]
Process: System   Address: 0x86aa18a0   Size: 1888

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FLUSH_BUFFERS]
Process: System   Address: 0x86aa1a60   Size: 1440

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System   Address: 0x86aa5678   Size: 306

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System   Address: 0x85c4c3a8   Size: 3161

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DIRECTORY_CONTROL]
Process: System   Address: 0x869e4238   Size: 196

Object: Hidden Code [Driver: Tcpip, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System   Address: 0x8629b5b8   Size: 2632

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CONTROL]
Process: System   Address: 0x86a8ece0   Size: 800

Object: Hidden Code [Driver: Tcpip, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System   Address: 0x85c40410   Size: 1789

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SHUTDOWN]
Process: System   Address: 0x85c3a188   Size: 195

Object: Hidden Code [Driver: Tcpip, IRP_MJ_LOCK_CONTROL]
Process: System   Address: 0x8607f418   Size: 3049

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CLEANUP]
Process: System   Address: 0x85c3f428   Size: 279

Object: Hidden Code [Driver: Tcpip, IRP_MJ_CREATE_MAILSLOT]
Process: System   Address: 0x85c478a8   Size: 382

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_SECURITY]
Process: System   Address: 0x86aa03b8   Size: 3145

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_SECURITY]
Process: System   Address: 0x86aa0340   Size: 3265

Object: Hidden Code [Driver: Tcpip, IRP_MJ_POWER]
Process: System   Address: 0x85c2a8c0   Size: 455

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SYSTEM_CONTROL]
Process: System   Address: 0x85c2a848   Size: 575

Object: Hidden Code [Driver: Tcpip, IRP_MJ_DEVICE_CHANGE]
Process: System   Address: 0x85c2a7d0   Size: 695

Object: Hidden Code [Driver: Tcpip, IRP_MJ_QUERY_QUOTA]
Process: System   Address: 0x85c2a758   Size: 815

Object: Hidden Code [Driver: Tcpip, IRP_MJ_SET_QUOTA]
Process: System   Address: 0x85c2a6e0   Size: 935

Object: Hidden Code [Driver: Tcpip, IRP_MJ_PNP]
Process: System   Address: 0x85c2a668   Size: 1055

Shadow SSDT
-------------------
#: 307   Function Name: NtUserAttachThreadInput
Status: Hooked by "<unknown>" at address 0x84550d58

#: 383   Function Name: NtUserGetAsyncKeyState
Status: Hooked by "<unknown>" at address 0x86ae7530

#: 414   Function Name: NtUserGetKeyboardState
Status: Hooked by "<unknown>" at address 0x86a79e28

#: 416   Function Name: NtUserGetKeyState
Status: Hooked by "<unknown>" at address 0x84af1630

#: 460   Function Name: NtUserMessageCall
Status: Hooked by "<unknown>" at address 0x86acef10

#: 475   Function Name: NtUserPostMessage
Status: Hooked by "<unknown>" at address 0x84a89fa8

#: 476   Function Name: NtUserPostThreadMessage
Status: Hooked by "<unknown>" at address 0x85bb8678

#: 549   Function Name: NtUserSetWindowsHookEx
Status: Hooked by "<unknown>" at address 0x84a98830

#: 552   Function Name: NtUserSetWinEventHook
Status: Hooked by "<unknown>" at address 0x84a2eef0

==EOF==

I disable real time antivirus antipyware egine and I also disabled the firewall as you instructed and now the Avast engine and firewall are back on after scans.

I did everything as you told me.

Just in case I took a look at those registry keys that were locked and they are still locked. There is still no access to them. But other than looking at that I haven't done anything else to the PC except what you told me.

SuperDave · « **Reply #7 on:** September 04, 2010, 04:37:42 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

PixelOz · « **Reply #8 on:** September 05, 2010, 12:28:19 PM »

I ran it and in the two screens that I was shown at the end I couldn't find any link or button to export a report. Anyway it came out at zero.

I had already run it before this thread and it was 0 results, now I scanned the PC with it again and it gave me the same results 0, not even a bad cookie.

SuperDave · « **Reply #9 on:** September 05, 2010, 05:40:45 PM »

If there are no other issues, we can do some clean-up.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /uninstall in the runbox
* Make sure there's a space between Combofix and /Uninstall
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

***********************************

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

*******************************************
Download OTC by OldTimer and save it to your desktop.

1. Double-click OTC to run it.
2. Click the CleanUp! button.
3. Select Yes when the "Begin cleanup Process?" prompt appears.
4. If you are prompted to Reboot during the cleanup, select Yes
5. OTC should delete itself once it finishes, if not delete it yourself.

******************************************************

Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
****************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

PixelOz · « **Reply #10 on:** September 06, 2010, 06:58:15 PM »

But what are you saying? The PC's condition has not changed. The Webroot program still indicates that it is infected with Trojan-aax5 and those keys are still locked which will prevent the update of the Acrobat Reader.

SuperDave · « **Reply #11 on:** September 07, 2010, 01:07:34 PM »

The scans show no evidence of Trojan-aax5 . It could be a false-positive in WebRoot.

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.

PixelOz · « **Reply #12 on:** September 07, 2010, 06:00:27 PM »

Well it could be a false positive indeed cause I ran a lot of the good anti-virus tools on this machine and they don't detect anything anymore and the only one detecting that is Webroot. I mean I ran The Norton online scan, Panda online scan, Bitdefender online scan, Superantispyware, MBam, Eset online scan, FProt online scan, F Secure online scan, The Avast antivirus scan and nothing so I'm suspecting that cause I doubt that indeed that many good tools could have missed such an infection so what you say makes sense.

Anyway the other problem was those locked registry keys.

Those in the HKEY_LOCAL_MACHINE area (they are listed in the ComboFix log that I posted, look for them)

The following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS

I checked them in my Windows XP Home machine registry and I could access them OK but in this other machine when I double clicked in them I got the following message:

cannot edit : error reading the value's contents.

Well I checked and all the permissions that were suppose to be there for those keys and they were gone, I mean completely not there so I put all the corresponding permissions back and I can access them again and they are showing the way they are supposed to do.

I rebooted the machine to see if it was OK and the keys are still normal so I ran the Acrobat Reader updater and it updated without problems this time. So that seems to be fixed. Malware damage from some of all those viruses that were removed from this PC? Corrupted values due to disk error? I don't know (I did run a disk error check and fix a while ago already just in case). So finally I seem to have found what was wrong with those keys.

That seems to point even more in the direction of a false positive. I will run Superantispyware as you indicated just to be sure and I will post the results shortly but so far we seem to be going in the right direction and after that post we will proceed with the rest of the procedures that you indicated. OK?

PixelOz · « **Reply #13 on:** September 07, 2010, 10:20:17 PM »

MBAM log after scan with specified parameters (Nothing to it just some cookies that it removed so I think that we are good):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/08/2010 at 01:30 AM

Application Version : 4.41.1000

Core Rules Database Version : 5468
Trace Rules Database Version: 3280

Scan type : Complete Scan
Total Scan Time : 03:54:41

Memory items scanned : 501
Memory threats detected : 0
Registry items scanned : 6880
Registry threats detected : 0
File items scanned : 45207
File threats detected : 30

Adware.Tracking Cookie
   C:\Documents and Settings\Gladimir\Cookies\gladimir@revsci[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@adbrite[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@advertising[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@clickfuse[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@interclick[2].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@zedo[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@dmtracker[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@yadro[2].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@specificclick[2].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@pointroll[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@invitemedia[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][2].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@atdmt[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@doubleclick[1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@liveperson[3].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@pro-market[2].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][1].txt
   C:\Documents and Settings\Gladimir\Cookies\[email protected][2].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@hitbox[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@fastclick[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@trafficmp[1].txt
   C:\Documents and Settings\Gladimir\Cookies\gladimir@liveperson[1].txt

PixelOz · « **Reply #14 on:** September 08, 2010, 02:07:47 AM »

ComboFix has been deinstalled.

TFC was run as instructed.

OTC was run as instructed.

Online Armor firewall was installed to compensate for lack of it in Avast free version.

Secunia check and more things pending.

Computer Hope Forum

News:

Author Topic: Problem With Trojan-aax5 (Read 11949 times)

PixelOz

Problem With Trojan-aax5

SuperDave

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

SuperDave

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

SuperDave

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

SuperDave

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

SuperDave

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5

PixelOz

Re: Problem With Trojan-aax5