PDA

View Full Version : Can't run Spybot, Windows Antivirus Pro 2010 present


ElliotSperling
2009-09-14, 01:40
I'm running a Dell XPS M170 notebook with windows XP media center service pack 2. I have 1GB of memory and an 80GB hard drive with 9GB free.

I believe that I am infected with the windows Antivirus pro 2010 virus. Here are some of the symptoms.
-frequent pop-ups by this fake AV program, and have not been able to get it off my computer.
-could not open my task manager.
-not been able to run AV programs such as AVG and Spybot.
-search engine redirect where i cannot open results from searches; i get redirected and then my browser (firefox 2 and IE) usually crashes.
-logitech setpoint recently stopped working, and does not work even if reinstalled (could be completely unrelated)

Here is what i have tried so far:
-for the task manager i was able to re-enable it with this command; "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f."
-i tried not only running spybot, but running it in safe mode. i can occasionally get spybot to open, but it crashes as soon as i begin the scan, and then i can no longer open it
-i ran avg in both full and safe modes of windows, and it ran for a while in safe mode, but eventually crashed
-i tried to do the "before you post instructions," but the only program i could get to run was erunt

thanks in advance
ElliotSperling
2009-09-15, 09:08
I'm running a Dell XPS M170 notebook with windows XP media center service pack 2. I have 1GB of memory and an 80GB hard drive with 9GB free.

I believe that I am infected with the windows Antivirus pro 2010 virus. Here are some of the symptoms.
-frequent pop-ups by this fake AV program, and have not been able to get it off my computer.
-could not open my task manager.
-not been able to run AV programs such as AVG and Spybot.
-search engine redirect where i cannot open results from searches; i get redirected and then my browser (firefox 2 and IE) usually crashes.
-logitech setpoint recently stopped working, and does not work even if reinstalled (could be completely unrelated)

Here is what i have tried so far:
-for the task manager i was able to re-enable it with this command; "REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f."
-i tried not only running spybot, but running it in safe mode. i can occasionally get spybot to open, but it crashes as soon as i begin the scan, and then i can no longer open it
-i ran avg in both full and safe modes of windows, and it ran for a while in safe mode, but eventually crashed
-i tried to do the "before you post instructions," but the only program i could get to run was erunt

thanks in advance
ken545
2009-09-16, 03:10
Hello Elliot

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at your own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Elliot, reply to this thread only by using the SUBMIT REPLY and do not start any new topics


Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).





Please download RootRepeal one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.
ElliotSperling
2009-09-17, 05:25
exeHelper by Raktor - 09
Build 20090916
Run at 19:23:25 on 09/16/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Killed process svchasts.exe
Killed process b.exe
Checking for bad files...
Found file C:\WINDOWS\svchasts.exe
Deleting file C:\WINDOWS\svchasts.exe
Found file C:\WINDOWS\system32\braviax.exe
Deleting file C:\WINDOWS\system32\braviax.exe
Found file C:\WINDOWS\braviax.exe
Deleting file C:\WINDOWS\braviax.exe
Found file C:\WINDOWS\ppp3.dat
Deleting file C:\WINDOWS\ppp3.dat
Found file C:\WINDOWS\ppp4.dat
Deleting file C:\WINDOWS\ppp4.dat
Found file C:\WINDOWS\system32\cru629.dat
Deleting file C:\WINDOWS\system32\cru629.dat
Found file C:\WINDOWS\cru629.dat
Deleting file C:\WINDOWS\cru629.dat
Found file C:\WINDOWS\system32\~.exe
Deleting file C:\WINDOWS\system32\~.exe
Found file C:\WINDOWS\temp\b.exe
Deleting file C:\WINDOWS\temp\b.exe
Found file C:\WINDOWS\system32\bincd32.dat
Deleting file C:\WINDOWS\system32\bincd32.dat
Resetting filetype association for .exe
Resetting filetype association for .com
--Finished--

Thanks again, much appreciated.
ElliotSperling
2009-09-17, 05:52
And heres the rootrepeal scan:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/09/16 19:50
Program Version: Version 1.3.5.0
Windows Version: Windows XP Media Center Edition SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3E53000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AA7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8509000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF7903000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF3EEC000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden Services
-------------------
Service Name: vsfoceycwxrpfj
Image Path: C:\WINDOWS\system32\drivers\vsfocewmexmxrx.sys

==EOF==
ken545
2009-09-17, 11:19
Good Morning Elliott,

Exehelper removed the bad files that where blocking you from running other programs, it also reset permissions for those programs. It looks like RootRepeal has picked up a Rootkit infection also



Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
ElliotSperling
2009-09-18, 08:07
ComboFix 09-09-17.04 - Elliot 09/17/2009 21:27.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.649 [GMT -7:00]
Running from: c:\documents and settings\Elliot\Desktop\notcf.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Elliot\LOCALS~1\Temp\csrss.exe
c:\docume~1\Elliot\LOCALS~1\Temp\lsass.exe
c:\docume~1\Elliot\LOCALS~1\Temp\services.exe
c:\docume~1\Elliot\LOCALS~1\Temp\svchost.exe
c:\docume~1\Elliot\LOCALS~1\Temp\taskmgr.exe
c:\docume~1\Elliot\LOCALS~1\Temp\winlogon.exe
c:\documents and settings\All Users\Documents\araquguxuq.com
c:\documents and settings\All Users\Documents\ilaveq._dl
c:\documents and settings\All Users\Documents\joraxym.com
c:\documents and settings\All Users\Documents\pimifah.scr
c:\documents and settings\Elliot\Application Data\dalytaqa.reg
c:\documents and settings\Elliot\Application Data\onazer.exe
c:\documents and settings\Elliot\Application Data\tovariw.inf
c:\documents and settings\Elliot\Cookies\edibij.bin
c:\documents and settings\Elliot\Cookies\ixehorynu.dl
c:\documents and settings\Elliot\Cookies\otuqagex.bin
c:\documents and settings\Elliot\Cookies\ozoxa.vbs
c:\documents and settings\Elliot\Local Settings\Application Data\mepokav.pif
c:\documents and settings\Elliot\Local Settings\Application Data\qugam.ban
c:\documents and settings\Elliot\Local Settings\Application Data\sikevyz.exe
c:\documents and settings\Elliot\Local Settings\Temporary Internet Files\apobireh.com
c:\documents and settings\Elliot\Local Settings\Temporary Internet Files\asijegiwit._dl
c:\documents and settings\Elliot\My Documents\My Documents.url
c:\documents and settings\Elliot\My Documents\My Music\My Music.url
c:\documents and settings\Elliot\My Documents\My Pictures\My Pictures.url
c:\documents and settings\Elliot\My Documents\My Videos\My Video.url
c:\documents and settings\Elliot\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
c:\program files\AdvancedVirusRemover
c:\program files\Common Files\uqediqane._dl
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\windows\awyvopo.pif
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\11d432.msi
c:\windows\kb913800.exe
c:\windows\msa.exe
c:\windows\run.log
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\config\systemprofile\Desktop\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\smss.exe
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\vsfocewmexmxrx.sys
c:\windows\system32\ihebykyfe.scr
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\okypu.dl
c:\windows\system32\rohytuqyx.ban
c:\windows\system32\sonhelp.htm
c:\windows\system32\taJF83ikdmf.dll
c:\windows\system32\vsfocecxnwnbsi.dll
c:\windows\system32\vsfocehbapalco.dll
c:\windows\system32\vsfocehdvrejph.dat
c:\windows\system32\vsfoceiqrapdet.dll
c:\windows\system32\vsfocempgxumob.dat
c:\windows\system32\vsfocesdkijwbp.dat
c:\windows\system32\winhelper.dll
c:\windows\system32\wisdstr.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Temp\~6.Dll

Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\i386\beep.sys

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Service_vsfoceycwxrpfj
-------\Legacy_vsfoceycwxrpfj
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_ANTIPPRO2009_12
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_AntipPro2009_100
-------\Service_AntipPro2009_12


((((((((((((((((((((((((( Files Created from 2009-08-18 to 2009-09-18 )))))))))))))))))))))))))))))))
.

2009-09-17 13:56 . 2009-09-17 13:56 2198 -c--a-w- C:\Tsx.bat
2009-09-17 02:48 . 2009-09-17 02:48 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-15 07:16 . 2009-09-15 07:16 -------- d-----w- c:\program files\Safer Networking
2009-09-13 21:25 . 2009-09-13 21:25 -------- d-----w- c:\program files\ERUNT
2009-09-13 20:50 . 2009-09-17 02:26 -------- d-----w- c:\program files\issb4
2009-09-13 16:36 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-13 16:36 . 2009-09-13 16:36 -------- d-----w- c:\program files\notflowers
2009-09-13 16:36 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-13 16:29 . 2009-09-13 16:29 -------- d-----w- c:\documents and settings\Elliot\Application Data\Malwarebytes
2009-09-13 16:29 . 2009-09-13 16:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-13 16:17 . 2009-09-13 16:17 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-09-13 16:11 . 2009-09-13 16:11 -------- d-----w- c:\documents and settings\Elliot\Application Data\Logitech
2009-09-13 16:00 . 2009-06-17 16:55 10384 ----a-w- c:\windows\system32\drivers\LBeepKE.sys
2009-09-13 15:59 . 2009-07-20 19:25 301656 ----a-w- c:\windows\system32\BtCoreIf.dll
2009-09-13 15:59 . 2009-07-20 19:26 84496 ----a-w- c:\windows\system32\KemXML.dll
2009-09-13 15:59 . 2009-07-20 19:26 117264 ----a-w- c:\windows\system32\KemWnd.dll
2009-09-13 15:59 . 2009-07-20 19:26 145936 ----a-w- c:\windows\system32\KemUtil.dll
2009-09-13 15:59 . 2009-07-20 19:26 170512 ----a-w- c:\windows\system32\kemutb.dll
2009-09-13 15:58 . 2009-09-13 15:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2009-09-12 03:35 . 2009-09-12 03:35 -------- d-----w- c:\documents and settings\Elliot\Application Data\AVG8
2009-09-12 01:53 . 2009-09-12 01:53 19490 ----a-w- c:\windows\exekutulo.com
2009-09-11 06:34 . 2009-09-11 06:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2009-09-11 04:48 . 2009-09-11 04:48 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-09-11 04:48 . 2009-09-11 04:48 -------- d-----w- c:\program files\Lavasoft
2009-09-11 04:48 . 2009-09-11 04:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-09-10 07:07 . 2009-09-13 16:00 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2009-09-10 06:57 . 2009-09-13 16:00 -------- d-----w- c:\program files\Common Files\Logishrd
2009-09-10 05:30 . 2009-09-12 03:32 -------- d-----w- c:\program files\Issb
2009-09-10 05:24 . 2009-09-10 05:24 -------- d-----w- c:\documents and settings\Family\Local Settings\Application Data\AVG Security Toolbar
2009-09-10 05:18 . 2009-09-10 05:39 -------- d-----w- c:\program files\not sb 3
2009-09-10 05:00 . 2009-09-10 05:00 60320 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-10 02:11 . 2008-11-06 09:03 -------- dc----w- C:\SDFix
2009-09-09 04:14 . 2009-09-10 05:14 -------- d-----w- c:\program files\not sb2
2009-09-08 05:57 . 2009-09-08 05:57 -------- d-----w- c:\documents and settings\Elliot\Local Settings\Application Data\AVG Security Toolbar
2009-09-03 05:01 . 2009-09-03 05:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA
2009-08-20 20:03 . 2009-08-20 20:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-18 04:12 . 2009-05-31 21:31 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-18 01:24 . 2006-02-28 03:20 72455 ----a-w- c:\windows\system32\nvModes.dat
2009-09-17 02:49 . 2006-04-28 06:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-13 15:58 . 2006-02-28 03:31 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-12 01:49 . 2007-01-22 03:26 -------- d-----w- c:\program files\Common Files\Logitech
2009-09-10 07:05 . 2009-09-10 07:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2009-09-10 07:05 . 2009-09-10 07:05 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-09-10 07:04 . 2009-09-10 07:04 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-09-10 07:04 . 2009-09-10 07:04 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-09-10 05:04 . 2006-10-31 04:57 -------- d-----w- c:\program files\Windows Media Connect 2
2009-09-09 04:11 . 2006-04-28 06:36 -------- d-----w- c:\program files\not spybot
2009-09-04 18:43 . 2006-05-16 04:17 -------- d-----w- c:\program files\IrfanView
2009-09-04 18:43 . 2009-07-27 20:47 -------- d-----w- c:\program files\iDump (Freeware)
2009-09-04 18:43 . 2006-03-09 00:22 -------- d-----w- c:\documents and settings\Elliot\Application Data\Lavasoft
2009-09-04 16:53 . 2009-05-27 05:03 -------- d-----w- c:\documents and settings\Elliot\Application Data\Azureus
2009-09-03 22:17 . 2006-04-11 17:18 -------- d-----w- c:\program files\Steam
2009-08-28 01:46 . 2006-02-28 03:32 -------- d-----w- c:\program files\Common Files\Sonic Shared
2009-08-28 01:43 . 2006-02-28 03:40 -------- d-----w- c:\program files\Roxio
2009-08-28 01:34 . 2006-02-28 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-28 01:34 . 2006-02-28 03:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-28 01:31 . 2006-06-16 19:10 -------- d-----w- c:\program files\IGN
2009-08-28 01:31 . 2006-02-28 03:45 -------- d-----w- c:\program files\Google
2009-08-28 01:30 . 2005-08-17 02:54 -------- d-----w- c:\program files\GemMaster
2009-08-28 01:29 . 2007-08-06 22:16 -------- d-----w- c:\program files\DivX
2009-08-28 01:25 . 2006-03-08 04:28 -------- d-----w- c:\documents and settings\Elliot\Application Data\Corel
2009-08-28 01:22 . 2008-07-29 20:43 -------- d-----w- c:\program files\AVS4YOU
2009-08-24 19:45 . 2009-05-31 21:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-24 19:45 . 2009-05-31 21:32 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-24 19:45 . 2008-02-24 21:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-22 03:07 . 2006-03-08 05:43 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-22 03:07 . 2006-03-08 05:43 56 --sh--r- c:\windows\system32\5B436BD706.sys
2009-08-15 22:36 . 2009-08-15 22:36 -------- d-----w- c:\documents and settings\Family\Application Data\Apple Computer
2009-08-15 22:34 . 2006-04-21 13:35 60320 ----a-w- c:\documents and settings\Family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-11 04:27 . 2009-01-04 23:06 -------- d-----w- c:\documents and settings\Elliot\Application Data\iPhoneRingToneMaker
2009-08-11 04:26 . 2009-03-28 07:06 -------- d-----w- c:\program files\IDoser v4
2009-08-11 04:25 . 2006-10-28 06:36 -------- d-----w- c:\program files\BitComet
2009-08-11 04:25 . 2008-07-29 20:43 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-10 16:52 . 2009-06-12 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-07 02:34 . 2006-03-08 05:43 60320 ----a-w- c:\documents and settings\Elliot\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 06:02 . 2009-08-06 06:02 -------- d-----w- c:\program files\MSBuild
2009-08-06 06:02 . 2009-08-06 06:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 04:32 . 2009-08-04 04:29 -------- d-----w- c:\program files\Transcribe!
2009-08-01 03:27 . 2009-07-28 17:32 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-26 06:42 . 2009-06-03 07:16 -------- d-----w- c:\program files\iTunes
2009-07-26 06:42 . 2009-07-26 06:42 -------- d-----w- c:\program files\iPod
2009-07-26 06:42 . 2007-07-04 21:22 -------- d-----w- c:\program files\Common Files\Apple
2009-07-14 03:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2005-08-16 10:18 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-05-27 06:16 . 2009-05-27 06:16 604 ---ha-w- c:\program files\STLL Notifier
2003-11-18 17:37 . 2006-08-04 17:54 241664 -c--a-w- c:\program files\npmusicn.dll
2009-09-14 04:44 . 2006-03-08 04:42 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-09-14 04:44 . 2006-03-08 04:42 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-09-14 04:44 . 2009-09-08 05:56 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-09-14 04:44 . 2009-09-08 05:56 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-09-14 04:44 . 2006-03-08 04:42 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-10 333192]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-01 7561216]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 75520]
"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe" [2007-02-06 61440]
"HostManager"="c:\program files\Common Files\AOL\1142490376\ee\AOLSoftware.exe" [2006-05-10 50760]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-24 2007832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-05-01 1519616]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2006-05-01 73728]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2009-06-17 55824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-9-13 813584]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 19:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-24 19:45 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=evolusbn.dll
"midi3"=evolusbn.dll
"midi6"=evolusbn.dll
"midi8"=evolusbn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142490376\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1142490376\\ee\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"14984:TCP"= 14984:TCP:BitComet 14984 TCP
"14984:UDP"= 14984:UDP:BitComet 14984 UDP
"59035:TCP"= 59035:TCP:Pando Media Booster
"59035:UDP"= 59035:UDP:Pando Media Booster
"59126:TCP"= 59126:TCP:Pando Media Booster
"59126:UDP"= 59126:UDP:Pando Media Booster

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2009 2:32 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/31/2009 2:32 PM 108552]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 5:47 AM 98304]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [5/26/2009 10:03 PM 464264]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/26/2009 10:03 PM 234888]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/31/2009 2:31 PM 297752]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [9/13/2009 9:00 AM 10384]
R2 UnoInstallerService;Uno Installer;c:\program files\M-Audio Uno\UnoInst.exe [11/12/2006 9:18 PM 106496]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [8/2/2008 12:49 AM 24652]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]
S3 EVOLUSB;%EVOL_USB_SvcDesc%;c:\windows\system32\drivers\evolusb.sys [11/12/2006 9:18 PM 21984]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [9/23/2006 10:05 PM 36981]
.
Contents of the 'Scheduled Tasks' folder

2009-09-15 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-09-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&client=dell-rel
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: {35B7E48B-9D81-4C6C-9578-5FD4F620D886}
FF - ProfilePath - c:\documents and settings\Elliot\Application Data\Mozilla\Firefox\Profiles\uk33o8mm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - (no file)
HKCU-Run-ANTIVIRUS - c:\program files\WAV\wav.exe
HKCU-Run-Monopod - c:\docume~1\Elliot\LOCALS~1\Temp\a.exe
HKCU-Run-Windows System Recover! - c:\docume~1\Elliot\LOCALS~1\Temp\install.exe
HKCU-Run-Aim6 - (no file)
HKLM-Run-HPDJ Taskbar Utility - c:\windows\system32\spool\drivers\w32x86\3\hpztsb06.exe
HKLM-Run-RIS2PostReboot - (no file)
HKLM-Run-csr - csrrs.exe
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe
AddRemove-Collab - c:\program files\Image-Line\Collab\uninstall.exe
AddRemove-Dell Game Console - c:\program files\WildTangent\Apps\Dell Game Console\Uninstall.exe
AddRemove-Warning Center - c:\program files\Applications\wcu.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-17 21:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2286682121-438749808-3921338359-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{9046540F-A4C9-60ED-0B58-B213BBB61A06}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iajcahhfadbbpfnine"=hex:63,61,6d,6d,6f,69,00,7c

[HKEY_USERS\S-1-5-21-2286682121-438749808-3921338359-1005\Software\SecuROM\License information*]
"datasecu"=hex:09,e9,fe,a5,39,26,83,1c,8c,8c,d2,e2,8d,a2,ee,02,b1,ed,b7,d3,43,
b1,f6,79,8a,2d,bd,64,04,f2,46,24,b4,84,4e,5f,19,ea,25,c9,37,99,89,f6,70,d4,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,c3,16,ac,e7,28,
bc,69,3c,2e,e8,e1,00,eb,16,2b,de,f6,ed,a8,d2,7a,f9,a2,45,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,9b,92,44,14,9f,
30,f1,d8,46,47,15,b0,92,4b,c7,ef,c3,c5,06,11,9d,63,43,b2,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,28,d2,a5,c0,2b,
6a,02,e3,7a,45,05,fd,91,e8,6f,31,eb,d0,e7,ca,d1,ea,98,4c,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:3e,1e,9e,e0,57,5a,93,61,14,fb,94,37,e0,
73,12,fb,6b,65,49,6a,7e,99,74,f7,45,3a,66,a1,55,30,cc,9d,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,48,a7,52,05,3e,
11,69,52,e9,02,6c,fa,fb,1d,47,57,9e,47,a0,83,55,08,0e,a9,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,75,6c,bd,ff,12,
c0,f8,51,50,93,e5,ab,ec,6a,4e,ab,15,16,8b,c9,e0,0b,50,12,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,ea,a9,ea,6b,20,
d9,46,06,97,20,4e,9a,c7,f1,35,ee,59,dc,cb,c0,bb,73,62,9c,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,11,1f,d2,1b,9d,
e1,b1,f5,aa,52,c6,00,84,3c,26,64,c4,6c,de,f0,01,33,a4,f6,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:51,fa,6e,91,28,9e,14,cc,79,39,d1,d5,f5,
9a,8a,00,b2,46,9a,e2,1b,fe,1b,94,72,25,96,93,a8,15,ee,36,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,4d,c9,a2,28,92,
df,41,a2,37,a4,aa,c3,a6,15,56,0a,87,90,97,6e,5b,f1,fb,cf,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,56,77,f5,97,df,
9d,cc,cd,f8,31,0f,a9,5f,a0,ec,fb,b9,f0,ec,a2,ea,ed,17,9c,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,bf,03,72,4f,8b,
2e,50,16,05,73,21,dd,54,d8,4a,c5,5d,d4,41,5b,22,cd,05,df,6c,43,2d,1e,aa,22,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2252)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Apoint\hidfind.exe
c:\program files\Apoint\ApntEx.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2009-09-18 21:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-18 04:53

Pre-Run: 9,283,866,624 bytes free
Post-Run: 10,992,242,688 bytes free

472 --- E O F --- 2009-09-18 01:25

And Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:35 PM, on 9/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\AskBarDis\bar\bin\AskService.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\M-Audio Uno\UnoInst.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\Common Files\AOL\1142490376\ee\AOLSoftware.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - *{03402f96-3dc7-4285-bc50-9e81fefafe43} - (no file)
R3 - URLSearchHook: (no name) - *{54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - (no file)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1142490376\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Uno Installer (UnoInstallerService) - Unknown owner - C:\Program Files\M-Audio Uno\UnoInst.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9387 bytes

Thanks
ken545
2009-09-18, 14:10
Elliot,

c:\\Program Files\\Alias\\Maya7.0 <-- Are you downloading illegal software from cracked sites ?
ken545
2009-09-28, 11:45
Due to inactivity, this thread will now be closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.