AHHHHH......i need help!!

blackdra · Dec 26, 2009

wow did y ou type all that out?

blackdra · Dec 26, 2009

[Win32 Services - Safe List]
Service 6to4 stopped successfully!
Service 6to4 deleted successfully!
C:\WINDOWS\system32\6to4v32.dll moved successfully.
[Driver Services - Safe List]
Service winsts stopped successfully!
Service winsts deleted successfully!
C:\WINDOWS\system32\winsts.sys moved successfully.
Service ndisdrv stopped successfully!
Service ndisdrv deleted successfully!
C:\WINDOWS\system32\ndisdrv.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\asg984jgkfmgasi8ug98jgkfgfb deleted successfully.
Registry value HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ygua8e7yhuiesfha876yfauy8fe deleted successfully.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\asg984jgkfmgasi8ug98jgkfgfb not found.
Registry value HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\ygua8e7yhuiesfha876yfauy8fe not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:c:\windows\system32\yobiseha.dll deleted successfully.
File C:\WINDOWS\System32\yobiseha.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:fepabavi.dll deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls:vuzofafu.dll deleted successfully.
C:\WINDOWS\System32\vuzofafu.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit:C:\WINDOWS\system32\winlogon86.exe deleted successfully.
C:\WINDOWS\system32\winlogon86.exe moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\\{3c80fcc8-b88d-4740-bcec-d2d122abcbe9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c80fcc8-b88d-4740-bcec-d2d122abcbe9}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\InternetSecurity2010\IS2010.exe deleted successfully.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\msaouahn.dll moved successfully.
C:\WINDOWS\System32\winupdate86.exe moved successfully.
File C:\WINDOWS\System32\winlogon86.exe not found!
C:\waxfhosk.exe moved successfully.
C:\WINDOWS\System32\cock folder moved successfully.
C:\WINDOWS\System32\nsysd.ini moved successfully.
C:\WINDOWS\System32\olsysk.dat moved successfully.
C:\WINDOWS\System32\nsysw.ini moved successfully.
C:\WINDOWS\System32\olsysw.dat moved successfully.
C:\WINDOWS\System32\nsysp.ini moved successfully.
C:\WINDOWS\System32\olsysp.dat moved successfully.
[Files/Folders - Modified Within 30 Days]
C:\WINDOWS\System32\dufubuga moved successfully.
C:\WINDOWS\System32\winhelper86.dll moved successfully.
C:\WINDOWS\System32\AVR10.exe moved successfully.
C:\WINDOWS\System32\41.exe moved successfully.
C:\WINDOWS\tasks\wushskrw.job moved successfully.
C:\WINDOWS\System32\tdlcmd.dll moved successfully.
C:\WINDOWS\System32\pufikere.dll moved successfully.
C:\WINDOWS\System32\rurirovi.dll moved successfully.
C:\uwlwfa.exe moved successfully.
File C:\WINDOWS\System32\msaouahn.dll not found!
C:\haypsixd.exe moved successfully.
C:\WINDOWS\System32\ezdr3.dll moved successfully.
File C:\waxfhosk.exe not found!
C:\WINDOWS\System32\tuwatoba.exe moved successfully.
C:\WINDOWS\System32\ragutali.dll moved successfully.
C:\WINDOWS\System32\wincode.res moved successfully.
C:\WINDOWS\System32\krnkode.res moved successfully.
C:\WINDOWS\System32\pwrcode.res moved successfully.
[Files - No Company Name]
File C:\WINDOWS\System32\pufikere.dll not found!
File C:\WINDOWS\System32\rurirovi.dll not found!
File C:\WINDOWS\tasks\wushskrw.job not found!
File C:\WINDOWS\System32\41.exe not found!
File C:\WINDOWS\System32\AVR10.exe not found!
File C:\WINDOWS\System32\winhelper86.dll not found!
File C:\uwlwfa.exe not found!
File C:\haypsixd.exe not found!
File C:\WINDOWS\System32\ezdr3.dll not found!
File C:\WINDOWS\System32\tdlcmd.dll not found!
C:\WINDOWS\System32\urhtps.dat moved successfully.
File C:\WINDOWS\System32\tuwatoba.exe not found!
File C:\WINDOWS\System32\ragutali.dll not found!
File C:\WINDOWS\System32\wincode.res not found!
File C:\WINDOWS\System32\krnkode.res not found!
File C:\WINDOWS\System32\pwrcode.res not found!
C:\WINDOWS\System32\user.cfg moved successfully.
C:\WINDOWS\System32\timinebe.dll moved successfully.
C:\WINDOWS\System32\sehameyi.dll moved successfully.
C:\WINDOWS\System32\lidanufu.dll moved successfully.
File C:\WINDOWS\System32\vuzofafu.dll not found!
C:\WINDOWS\System32\nefavega.dll moved successfully.
C:\WINDOWS\System32\hidumule.dll moved successfully.
C:\WINDOWS\System32\psisdecd.dll moved successfully.
C:\WINDOWS\DC2110a.ini moved successfully.
C:\WINDOWS\atid.ini moved successfully.
< End of fix log >
OTS by OldTimer - Version 3.1.12.0 fix logfile created on 12262009_082227

peku006 · Dec 26, 2009

Hi blackdra

wow did y ou type all that out?

of course, who else

:
Let´s try combofix again.......
So please delete the old combofix and download the new.

Download Combofix from any of the links below but rename it to BLACKDRA before saving it to your desktop.

Link 1
Link 2

==================================

Double click on the BLACKDRA ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt so we can continue cleaning the system.

peku006

blackdra · Dec 26, 2009

woo hoo it ran this time .......... for about an hour ............. not including download time.........anyways heres the log very large

ComboFix 09-12-25.05 - Eric 12/26/2009 13:25:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.985 [GMT -6:00]
Running from: c:\documents and settings\Eric\Desktop\blackdra.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Start Menu\Internet Security 2010.lnk
c:\recycler\S-1-5-21-1285431163-2949483060-138999394-1003
c:\recycler\S-1-5-21-725345543-1604221776-2147019285-1003
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\EventSystem.log
c:\windows\IECOdecplg.dll
c:\windows\irc.txt
c:\windows\system32\AcroIEHelpe.dll
c:\windows\system32\bebutepo.exe
c:\windows\system32\certstore.dat
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\duyugesa.exe
c:\windows\system32\fanesazi.exe
c:\windows\system32\fezijepa.exe
c:\windows\system32\FInstall.sys
c:\windows\system32\Iasv32.dll
c:\windows\system32\jabihoju.dll
c:\windows\system32\lufesoko.dll
c:\windows\system32\nezezaju.dll
c:\windows\system32\notepad.dll
c:\windows\system32\nsysw.dat
c:\windows\system32\nuwuzeku.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\word.doc
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\skynet.dat
c:\windows\system32\tdlcmd.dll
c:\windows\system32\UAs
c:\windows\system32\UAs\acad_UAs001.dat
c:\windows\system32\UAs\AcroRd32_UAs001.dat
c:\windows\system32\UAs\AcroRd32_UAs002.dat
c:\windows\system32\UAs\actionreplaycodemanager_UAs001.dat
c:\windows\system32\UAs\aim_UAs001.dat
c:\windows\system32\UAs\Bartshel_UAs001.dat
c:\windows\system32\UAs\cmd_UAs001.dat
c:\windows\system32\UAs\cmd_UAs002.dat
c:\windows\system32\UAs\cxu61118_UAs001.dat
c:\windows\system32\UAs\Explorer_UAs001.dat
c:\windows\system32\UAs\Explorer_UAs002.dat
c:\windows\system32\UAs\Explorer_UAs003.dat
c:\windows\system32\UAs\Explorer_UAs004.dat
c:\windows\system32\UAs\Explorer_UAs005.dat
c:\windows\system32\UAs\Explorer_UAs006.dat
c:\windows\system32\UAs\f5d9_UAs001.dat
c:\windows\system32\UAs\firefox_UAs001.dat
c:\windows\system32\UAs\firefox_UAs002.dat
c:\windows\system32\UAs\firefox_UAs003.dat
c:\windows\system32\UAs\firefox_UAs004.dat
c:\windows\system32\UAs\haypsixd_UAs001.dat
c:\windows\system32\UAs\iexplore_UAs001.dat
c:\windows\system32\UAs\iexplore_UAs002.dat
c:\windows\system32\UAs\iexplore_UAs003.dat
c:\windows\system32\UAs\iexplore_UAs004.dat
c:\windows\system32\UAs\leopehgqqd78o_UAs001.dat
c:\windows\system32\UAs\leopehgqqd78o_UAs002.dat
c:\windows\system32\UAs\logonui_UAs001.dat
c:\windows\system32\UAs\lsm32_UAs001.dat
c:\windows\system32\UAs\msksur_UAs001.dat
c:\windows\system32\UAs\msnmsgr_UAs001.dat
c:\windows\system32\UAs\muiq_UAs001.dat
c:\windows\system32\UAs\nbhfy_UAs001.dat
c:\windows\system32\UAs\ndgkqs_UAs001.dat
c:\windows\system32\UAs\nmjhv_UAs001.dat
c:\windows\system32\UAs\pctbdupdate_UAs001.dat
c:\windows\system32\UAs\pureplaypoker_UAs001.dat
c:\windows\system32\UAs\siuhb_UAs001.dat
c:\windows\system32\UAs\smss_UAs001.dat
c:\windows\system32\UAs\spoolsv_UAs001.dat
c:\windows\system32\UAs\spoolsv_UAs002.dat
c:\windows\system32\UAs\spoolsv_UAs003.dat
c:\windows\system32\UAs\spybotsd162_UAs001.dat
c:\windows\system32\UAs\spyhunter-installer_UAs001.dat
c:\windows\system32\UAs\spyhunter3_UAs001.dat
c:\windows\system32\UAs\spyhunter3_UAs002.dat
c:\windows\system32\UAs\svchost_UAs001.dat
c:\windows\system32\UAs\svchost_UAs002.dat
c:\windows\system32\UAs\svchost_UAs003.dat
c:\windows\system32\UAs\svchost_UAs004.dat
c:\windows\system32\UAs\svchost_UAs005.dat
c:\windows\system32\UAs\system321lkdoiuekrewr_UAs001.dat
c:\windows\system32\UAs\system321lkdoiuekrewr_UAs002.dat
c:\windows\system32\UAs\user_UAs001.dat
c:\windows\system32\UAs\user_UAs002.dat
c:\windows\system32\UAs\viewmgr_UAs001.dat
c:\windows\system32\UAs\vvhhaul1od_UAs001.dat
c:\windows\system32\UAs\winamp_UAs001.dat
c:\windows\system32\UAs\winlogon_UAs001.dat
c:\windows\system32\UAs\winupdate86_UAs001.dat
c:\windows\system32\UAs\wmdtc_UAs001.dat
c:\windows\system32\UAs\xprp_UAs001.dat

----- BITS: Possible infected sites -----

hxxp://82.98.231.102
hxxp://77.74.48.116
Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it

c:\windows\system32\powrprof.dll . . . is infected!!

c:\windows\system32\wininet.dll . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTWSRV
-------\Legacy_FASTNETSRV
-------\Legacy_TDIDIS32.SYS
-------\Service_BtwSrv
-------\Service_fastnetsrv
-------\Service_tdidis32.sys

((((((((((((((((((((((((( Files Created from 2009-11-26 to 2009-12-26 )))))))))))))))))))))))))))))))
.

2009-12-26 10:27 . 2009-12-26 10:27 -------- d-----w- C:\_OTM
2009-12-24 21:06 . 2009-12-24 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-24 13:49 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 13:49 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 11:54 . 2009-12-24 11:54 155648 ----a-w- C:\srwq.exe
2009-12-24 11:42 . 2009-12-24 13:11 -------- d-----w- c:\windows\system32\xmldm
2009-12-24 11:40 . 2009-12-24 11:40 -------- d-----w- C:\_OTS
2009-12-22 12:59 . 2009-12-24 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 12:56 . 2009-12-22 12:56 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-12-22 12:56 . 2009-12-22 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 11:19 . 2009-12-22 11:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-21 00:48 . 2009-12-21 00:48 -------- d-----w- c:\documents and settings\Anne\Application Data\PCToolsFirewallPlus
2009-12-20 14:38 . 2009-12-20 14:38 -------- d-----w- c:\documents and settings\Janet\Application Data\PCToolsFirewallPlus
2009-12-20 14:16 . 2009-12-20 14:17 -------- d-----w- c:\documents and settings\Eric\Application Data\PCToolsFirewallPlus
2009-12-20 14:15 . 2009-11-23 19:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-20 14:15 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-20 14:15 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-20 14:15 . 2009-12-20 14:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-20 14:15 . 2009-11-24 14:54 56512 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2009-12-20 14:15 . 2009-11-10 23:11 70408 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2009-12-20 14:15 . 2009-08-14 19:44 32552 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2009-12-20 14:15 . 2009-10-16 22:55 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-12-20 14:15 . 2009-12-22 11:25 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-12-15 02:28 . 2009-12-15 02:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-12-15 02:28 . 2009-12-15 02:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-12-14 09:02 . 2009-12-14 09:02 -------- d-----w- c:\program files\MSXML 4.0
2009-12-13 17:33 . 2009-12-13 17:33 -------- d-----w- c:\documents and settings\Janet\Application Data\.clamwin
2009-12-13 16:54 . 2009-12-13 16:54 -------- d--h--w- c:\windows\PIF
2009-12-12 18:32 . 2009-12-12 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Walgreens
2009-12-12 05:45 . 2009-12-12 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2009-12-12 05:42 . 2009-12-12 05:42 -------- d-----w- c:\documents and settings\Eric\Application Data\.clamwin
2009-12-12 05:41 . 2009-12-19 23:34 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-12-11 23:23 . 2009-12-11 23:23 -------- d-----w- c:\documents and settings\Anne\Local Settings\Application Data\Threat Expert
2009-12-11 21:30 . 2009-12-26 19:35 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-11 21:28 . 2009-12-14 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-11 21:28 . 2009-12-12 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-11 21:27 . 2009-12-11 21:27 -------- d-----w- c:\program files\Trend Micro
2009-12-10 14:49 . 2009-12-10 14:49 40952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 22:06 . 2009-12-26 18:44 -------- d-----w- c:\documents and settings\Eric\Application Data\HPAppData
2009-12-04 18:15 . 2009-12-24 01:58 -------- d-----w- c:\documents and settings\Janet\Application Data\HPAppData
2009-12-04 15:25 . 2009-12-23 04:15 -------- d-----w- c:\documents and settings\Anne\Application Data\HPAppData
2009-12-04 15:18 . 2009-12-04 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-04 15:17 . 2009-12-04 15:18 -------- d-----w- c:\documents and settings\Anne\Application Data\HP
2009-12-04 15:17 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-12-04 15:16 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-12-04 15:16 . 2009-04-16 20:08 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2009-12-04 15:16 . 2009-04-16 20:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2009-12-04 15:16 . 2009-04-15 21:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2009-12-04 15:16 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-12-04 15:16 . 2009-02-10 20:03 712704 ----a-r- c:\windows\system32\hposwia_d02c.dll
2009-12-04 15:16 . 2009-02-10 20:03 589824 ----a-r- c:\windows\system32\hpost_d02c.dll
2009-12-04 15:16 . 2009-02-10 20:03 315392 ----a-r- c:\windows\system32\hposc_d02a.dll
2009-12-04 15:16 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2009-12-04 15:16 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-12-04 15:13 . 2009-12-04 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-04 15:11 . 2009-12-04 15:11 -------- d-----w- c:\program files\Common Files\HP
2009-12-04 15:11 . 2009-12-04 15:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-04 15:11 . 2009-12-04 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-04 15:10 . 2009-12-04 15:14 -------- d-----w- c:\program files\HP
2009-12-04 15:07 . 2009-12-04 15:18 160881 ----a-w- c:\windows\hpoins44.dat
2009-12-04 15:07 . 2009-06-11 09:30 586 ------w- c:\windows\hpomdl44.dat
2009-12-04 14:48 . 2004-08-04 04:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-12-04 14:48 . 2004-08-04 04:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-04 14:48 . 2004-08-04 05:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-04 14:48 . 2004-08-04 05:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-26 14:27 . 2009-12-26 14:27 0 ---ha-w- c:\windows\system32\BITE.tmp
2009-12-26 14:27 . 2009-12-26 14:27 0 ---ha-w- c:\windows\system32\BITC.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BITA.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT9.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT6.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT5.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT4.tmp
2009-12-26 12:57 . 2007-10-09 14:10 -------- d-----w- c:\documents and settings\Eric\Application Data\.purple
2009-12-26 10:45 . 2009-12-26 10:45 112 ----a-w- c:\windows\system32\srvblck2.tmp
2009-12-24 10:29 . 2006-06-23 17:33 670208 ----a-w- c:\windows\system32\wininet.dll
2009-12-24 10:29 . 2004-01-01 09:06 21504 ----a-w- c:\windows\system32\powrprof.dll
2009-12-24 10:29 . 2004-01-01 09:06 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2009-12-23 10:39 . 2006-11-12 02:30 -------- d-----w- c:\program files\LimeWire
2009-12-22 05:28 . 2007-10-09 00:58 -------- d-----w- c:\documents and settings\Anne\Application Data\.purple
2009-12-21 12:45 . 2009-12-21 12:45 2157 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-12-17 13:35 . 2007-10-12 22:41 -------- d-----w- c:\documents and settings\Eric\Application Data\gtk-2.0
2009-12-17 11:10 . 2007-10-09 00:57 -------- d-----w- c:\program files\Pidgin
2009-12-15 05:35 . 2006-11-24 02:56 -------- d-----w- c:\program files\PokerStars.NET
2009-12-15 05:33 . 2004-01-01 10:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-10 18:12 . 2007-11-24 19:39 40952 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-10 16:59 . 2009-12-10 16:59 57856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\sp.DLL
2009-12-10 00:05 . 2006-11-11 22:23 -------- d-----w- c:\documents and settings\Anne\Application Data\AdobeUM
2009-12-06 04:09 . 2007-10-09 01:02 -------- d-----w- c:\documents and settings\Anne\Application Data\gtk-2.0
2009-12-04 15:21 . 2007-02-12 19:00 40952 ----a-w- c:\documents and settings\Anne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 14:39 . 2008-08-17 00:22 -------- d-----w- c:\documents and settings\Eric\Application Data\Skype
2009-11-30 14:38 . 2008-08-17 00:23 -------- d-----w- c:\documents and settings\Eric\Application Data\skypePM
2009-11-23 09:24 . 2009-11-23 09:24 2165 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-11-16 22:23 . 2006-11-17 20:15 -------- d-----w- c:\documents and settings\Eric\Application Data\LimeWire
2009-10-21 06:00 . 2007-11-24 18:52 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00 . 2007-11-24 18:52 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 14:58 . 2007-11-24 18:52 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 09:41 . 2009-10-19 08:03 58 ----a-w- c:\windows\wp4.dat
2009-10-19 09:41 . 2009-10-19 08:03 3 ----a-w- c:\windows\wp3.dat
2009-10-13 10:53 . 2006-05-14 09:13 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-01-01 09:06 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2004-01-01 09:06 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-07 12:47 . 2009-10-07 12:47 2145 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-10-02 12:03 . 2009-10-02 12:03 2095 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-09-30 13:08 . 2009-09-30 13:08 1089 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2007-11-15 21:05 . 2007-12-13 22:06 89088 ----a-w- c:\program files\mozilla firefox\plugins\atl71.dll
2007-11-15 21:05 . 2007-12-13 22:06 53248 ----a-w- c:\program files\mozilla firefox\plugins\boost_filesystem-vc71-mt-1_33_1.dll
2007-11-15 21:05 . 2007-12-13 22:06 499712 ----a-w- c:\program files\mozilla firefox\plugins\msvcp71.dll
2007-11-15 21:05 . 2007-12-13 22:06 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
2007-11-15 21:05 . 2007-12-13 22:06 110592 ----a-w- c:\program files\mozilla firefox\plugins\v22_base.dll
2007-11-15 21:05 . 2007-12-13 22:06 114688 ----a-w- c:\program files\mozilla firefox\plugins\v22_compression.dll
2007-11-15 21:05 . 2007-12-13 22:06 106496 ----a-w- c:\program files\mozilla firefox\plugins\v22_connect.dll
2007-11-15 21:05 . 2007-12-13 22:06 229376 ----a-w- c:\program files\mozilla firefox\plugins\v22_update.dll
2007-11-15 21:05 . 2007-12-13 22:06 196608 ----a-w- c:\program files\mozilla firefox\plugins\v22_utility.dll
2007-11-15 21:05 . 2007-12-13 22:06 159744 ----a-w- c:\program files\mozilla firefox\plugins\v22_winapplib.dll
2009-09-26 11:16 . 2009-09-26 11:16 22016 --sha-w- c:\windows\system32\yosutihe.exe
.

------- Sigcheck -------

[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB917422_0$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\system32\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB947864$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB972260$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB974455$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB976325$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 16:59 57856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\sp.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-11-27 2971608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"="c:\windows\system32\config\SYSTEM~1\ntload.dll" [2009-12-24 27136]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric^Start Menu^Programs^Startup^scandisk.dll]
path=c:\documents and settings\Eric\Start Menu\Programs\Startup\scandisk.dll
backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\Eric\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
2005-06-13 19:55 20480 ------w- c:\program files\PeoplePC\ISP6100\Bin\PPCOLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 04:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 04:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-01-01 11:53 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 10:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-03-11 23:18 135168 ----a-w- c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"fastnetsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\aim\\aim.exe"=
"c:\\Program Files\\PurePlay\\Poker\\PurePlayPoker.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Anne\\My Documents\\silverchild_24\\VamPChaT\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\PeoplePC\\ISP6100\\Bin\\PPCOLink.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\PC Tools Firewall Plus\\FirewallGUI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:blacksilver
"5576:TCP"= 5576:TCP:spport
"27679:TCP"= 27679:TCP:spport
"12778:TCP"= 12778:TCP:spport
"24727:TCP"= 24727:TCP:spport
"24081:TCP"= 24081:TCP:spport
"18799:TCP"= 18799:TCP:spport
"5586:TCP"= 5586:TCP:spport
"18914:TCP"= 18914:TCP:spport
"5645:TCP"= 5645:TCP:spport
"10850:TCP"= 10850:TCP:spport
"29694:TCP"= 29694:TCP:spport
"14876:TCP"= 14876:TCP:spport
"29596:TCP"= 29596:TCP:spport
"10317:TCP"= 10317:TCP:spport
"24501:TCP"= 24501:TCP:spport
"16950:TCP"= 16950:TCP:spport
"5736:TCP"= 5736:TCP:spport
"15492:TCP"= 15492:TCP:spport
"7112:TCP"= 7112:TCP:spport
"9548:TCP"= 9548:TCP:spport
"9001:TCP"= 9001:TCP:spport
"29261:TCP"= 29261:TCP:spport
"19990:TCP"= 19990:TCP:spport
"24336:TCP"= 24336:TCP:spport
"25100:TCP"= 25100:TCP:spport
"19537:TCP"= 19537:TCP:spport
"13204:TCP"= 13204:TCP:spport
"14253:TCP"= 14253:TCP:spport
"14613:TCP"= 14613:TCP:spport
"5461:TCP"= 5461:TCP:spport
"25794:TCP"= 25794:TCP:spport
"6490:TCP"= 6490:TCP:spport
"27557:TCP"= 27557:TCP:spport
"11116:TCP"= 11116:TCP:spport
"26056:TCP"= 26056:TCP:spport
"14385:TCP"= 14385:TCP:spport
"21012:TCP"= 21012:TCP:spport
"26860:TCP"= 26860:TCP:spport
"8290:TCP"= 8290:TCP:spport
"13443:TCP"= 13443:TCP:spport
"10961:TCP"= 10961:TCP:spport
"28647:TCP"= 28647:TCP:spport
"24337:TCP"= 24337:TCP:spport
"25097:TCP"= 25097:TCP:spport
"21167:TCP"= 21167:TCP:spport
"10475:TCP"= 10475:TCP:spport
"5034:TCP"= 5034:TCP:spport
"22097:TCP"= 22097:TCP:spport
"17116:TCP"= 17116:TCP:spport

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/20/2009 8:15 AM 233136]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [12/20/2009 8:15 AM 88040]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [1/1/2004 3:06 AM 14336]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [12/20/2009 8:15 AM 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [12/20/2009 8:15 AM 70408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [12/20/2009 8:15 AM 56512]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [12/20/2009 8:15 AM 115216]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [11/27/2006 4:06 PM 227200]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/24/2009 7:49 AM 38224]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/15/2007 9:12 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
netsvc REG_MULTI_SZ SPService
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = localhost:8080
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\5f6awe7z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yu-Gi-Oh! (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - proxy_sever
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy_sever
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy_sever
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy_sever
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy_sever
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPView22.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.16\NPSceneCaster.dll
FF - plugin: c:\program files\view22\version_4\NPView22.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MySpaceIM - c:\program files\MySpace\IM\MySpaceIM.exe
SSODL-rehirodup-{3c80fcc8-b88d-4740-bcec-d2d122abcbe9} - (no file)
MSConfigStartUp-ClamWin - i:\clamwin\bin\ClamTray.exe
MSConfigStartUp-iinjug - c:\windows\system32\msilojzb.dll
MSConfigStartUp-Internet Security 2010 - c:\program files\InternetSecurity2010\IS2010.exe
MSConfigStartUp-leopehgqqd78o - c:\windows\system32\leopehgqqd78o.exe
MSConfigStartUp-lokerususe - fepabavi.dll
MSConfigStartUp-mhjury - c:\windows\system32\msynldks.dll
MSConfigStartUp-nejepidof - c:\windows\system32\yobiseha.dll
MSConfigStartUp-notepad - c:\windows\system32\notepad.dll
MSConfigStartUp-tqammy - c:\windows\system32\msaouahn.dll
MSConfigStartUp-winupdate86 - c:\windows\system32\winupdate86.exe
AddRemove-ClamWin Free Antivirus_is1 - i:\clamwin\unins000.exe
AddRemove-pidgin-guifications - c:\program files\Pidgin\pidgin-guifications-uninst.exe
AddRemove-StreetPlugin - c:\program files\Learn2.com\StRunner\stuninst.exe
AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - i:\spybot - search & destroy\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-26 13:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3760)
c:\documents and settings\all users\application data\adobe\sp.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.exe
c:\program files\PC Tools Firewall Plus\FWService.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-12-26 13:42:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-26 19:42

Pre-Run: 98,400,841,728 bytes free
Post-Run: 98,379,812,864 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5779B166C4765BC243FFB04BB82CA471

peku006 · Dec 27, 2009

Hi blackdra

:bigthumb:

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code:

File::
C:\windows\system32\srvblck2.tmp

FCopy::
C:\windows\ServicePackFiles\i386\powrprof.dll | c:\windows\system32\powrprof.dll
C:\windows\ServicePackFiles\i386\wininet.dll| c:\windows\system32\wininet.dll

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"notepad"=-

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with

1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006

blackdra · Dec 27, 2009

ComboFix 09-12-25.05 - Eric 12/27/2009 9:57.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1271.944 [GMT -6:00]
Running from: c:\documents and settings\Eric\Desktop\blackdra.exe
Command switches used :: c:\documents and settings\Eric\Desktop\cfscript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\powrprof.dll . . . is infected!!

c:\windows\system32\wininet.dll . . . is infected!!

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\powrprof.dll --> c:\windows\system32\powrprof.dll
c:\windows\ServicePackFiles\i386\wininet.dll --> c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-27 15:57 . 2009-12-27 15:57 -------- d-----w- c:\windows\LastGood
2009-12-27 15:30 . 2008-05-02 16:41 3493888 ---ha-w- c:\documents and settings\Shawn\Application Data\U3\temp\Launchpad Removal.exe
2009-12-27 15:29 . 2004-08-04 06:56 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2009-12-27 15:29 . 2004-08-04 06:56 21504 ----a-w- c:\windows\system32\hidserv.dll
2009-12-27 15:29 . 2009-12-27 15:30 -------- d-----w- c:\documents and settings\Shawn\Application Data\U3
2009-12-27 15:02 . 2009-12-27 15:03 -------- d-----w- c:\documents and settings\Shawn\Application Data\PCToolsFirewallPlus
2009-12-26 10:27 . 2009-12-26 10:27 -------- d-----w- C:\_OTM
2009-12-24 21:06 . 2009-12-24 21:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-12-24 13:49 . 2009-12-03 22:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-24 13:49 . 2009-12-03 22:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-24 11:54 . 2009-12-24 11:54 155648 ----a-w- C:\srwq.exe
2009-12-24 11:42 . 2009-12-24 13:11 -------- d-----w- c:\windows\system32\xmldm
2009-12-24 11:40 . 2009-12-24 11:40 -------- d-----w- C:\_OTS
2009-12-22 12:59 . 2009-12-24 20:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-22 12:56 . 2009-12-22 12:56 -------- d-----w- c:\documents and settings\Eric\Application Data\Malwarebytes
2009-12-22 12:56 . 2009-12-22 12:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-22 11:19 . 2009-12-22 11:19 -------- d-----w- c:\windows\system32\wbem\Repository
2009-12-21 12:45 . 2009-12-21 12:45 2157 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-12-21 00:48 . 2009-12-21 00:48 -------- d-----w- c:\documents and settings\Anne\Application Data\PCToolsFirewallPlus
2009-12-20 14:38 . 2009-12-20 14:38 -------- d-----w- c:\documents and settings\Janet\Application Data\PCToolsFirewallPlus
2009-12-20 14:16 . 2009-12-20 14:17 -------- d-----w- c:\documents and settings\Eric\Application Data\PCToolsFirewallPlus
2009-12-20 14:15 . 2009-11-23 19:54 88040 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-12-20 14:15 . 2009-11-09 17:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-12-20 14:15 . 2009-10-30 17:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-12-20 14:15 . 2009-12-20 14:15 -------- d-----w- c:\program files\Common Files\PC Tools
2009-12-20 14:15 . 2009-11-24 14:54 56512 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2009-12-20 14:15 . 2009-11-10 23:11 70408 ----a-w- c:\windows\system32\drivers\pctNdis-PacketFilter.sys
2009-12-20 14:15 . 2009-08-14 19:44 32552 ----a-w- c:\windows\system32\drivers\pctNdis-DNS.sys
2009-12-20 14:15 . 2009-10-16 22:55 115216 ----a-w- c:\windows\system32\drivers\pctplfw.sys
2009-12-20 14:15 . 2009-12-22 11:25 -------- d-----w- c:\program files\PC Tools Firewall Plus
2009-12-15 02:28 . 2009-12-15 02:28 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-12-15 02:28 . 2009-12-15 02:28 -------- d-----w- c:\documents and settings\LocalService\Application Data\AdobeUM
2009-12-14 09:02 . 2009-12-14 09:02 -------- d-----w- c:\program files\MSXML 4.0
2009-12-13 17:33 . 2009-12-13 17:33 -------- d-----w- c:\documents and settings\Janet\Application Data\.clamwin
2009-12-13 16:54 . 2009-12-13 16:54 -------- d--h--w- c:\windows\PIF
2009-12-12 18:32 . 2009-12-12 18:32 -------- d-----w- c:\documents and settings\Administrator\Application Data\Walgreens
2009-12-12 05:45 . 2009-12-12 22:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\.clamwin
2009-12-12 05:42 . 2009-12-12 05:42 -------- d-----w- c:\documents and settings\Eric\Application Data\.clamwin
2009-12-12 05:41 . 2009-12-19 23:34 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-12-11 23:23 . 2009-12-11 23:23 -------- d-----w- c:\documents and settings\Anne\Local Settings\Application Data\Threat Expert
2009-12-11 21:30 . 2009-12-27 15:54 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-11 21:28 . 2009-12-14 03:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-12-11 21:28 . 2009-12-12 01:12 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-12-11 21:27 . 2009-12-11 21:27 -------- d-----w- c:\program files\Trend Micro
2009-12-10 16:59 . 2009-12-10 16:59 57856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\sp.DLL
2009-12-10 14:49 . 2009-12-10 14:49 40952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-04 22:06 . 2009-12-27 15:54 -------- d-----w- c:\documents and settings\Eric\Application Data\HPAppData
2009-12-04 18:15 . 2009-12-24 01:58 -------- d-----w- c:\documents and settings\Janet\Application Data\HPAppData
2009-12-04 15:25 . 2009-12-23 04:15 -------- d-----w- c:\documents and settings\Anne\Application Data\HPAppData
2009-12-04 15:18 . 2009-12-04 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2009-12-04 15:17 . 2009-12-04 15:18 -------- d-----w- c:\documents and settings\Anne\Application Data\HP
2009-12-04 15:17 . 2008-10-28 10:27 16496 ----a-r- c:\windows\system32\drivers\HPZipr12.sys
2009-12-04 15:16 . 2008-10-28 10:27 49920 ----a-r- c:\windows\system32\drivers\HPZid412.sys
2009-12-04 15:16 . 2009-04-16 20:08 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2009-12-04 15:16 . 2009-04-16 20:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2009-12-04 15:16 . 2009-04-15 21:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2009-12-04 15:16 . 2008-10-28 10:27 21568 ----a-r- c:\windows\system32\drivers\HPZius12.sys
2009-12-04 15:16 . 2009-02-10 20:03 712704 ----a-r- c:\windows\system32\hposwia_d02c.dll
2009-12-04 15:16 . 2009-02-10 20:03 589824 ----a-r- c:\windows\system32\hpost_d02c.dll
2009-12-04 15:16 . 2009-02-10 20:03 315392 ----a-r- c:\windows\system32\hposc_d02a.dll
2009-12-04 15:16 . 2008-10-28 10:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2009-12-04 15:16 . 2008-10-28 10:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2009-12-04 15:13 . 2009-12-04 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2009-12-04 15:11 . 2009-12-04 15:11 -------- d-----w- c:\program files\Common Files\HP
2009-12-04 15:11 . 2009-12-04 15:11 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2009-12-04 15:11 . 2009-12-04 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2009-12-04 15:10 . 2009-12-04 15:14 -------- d-----w- c:\program files\HP
2009-12-04 15:07 . 2009-12-04 15:18 160881 ----a-w- c:\windows\hpoins44.dat
2009-12-04 15:07 . 2009-06-11 09:30 586 ------w- c:\windows\hpomdl44.dat
2009-12-04 14:48 . 2004-08-04 04:58 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2009-12-04 14:48 . 2004-08-04 04:58 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2009-12-04 14:48 . 2004-08-04 05:01 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2009-12-04 14:48 . 2004-08-04 05:01 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-27 15:11 . 2007-12-15 06:23 40952 ----a-w- c:\documents and settings\Shawn\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-27 06:25 . 2007-10-09 14:10 -------- d-----w- c:\documents and settings\Eric\Application Data\.purple
2009-12-26 14:27 . 2009-12-26 14:27 0 ---ha-w- c:\windows\system32\BITE.tmp
2009-12-26 14:27 . 2009-12-26 14:27 0 ---ha-w- c:\windows\system32\BITC.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BITA.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT9.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT6.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT5.tmp
2009-12-26 14:26 . 2009-12-26 14:26 0 ---ha-w- c:\windows\system32\BIT4.tmp
2009-12-26 10:45 . 2009-12-26 10:45 112 ----a-w- c:\windows\system32\srvblck2.tmp
2009-12-24 10:29 . 2006-06-23 17:33 670208 ----a-w- c:\windows\system32\wininet.dll
2009-12-24 10:29 . 2004-01-01 09:06 21504 ----a-w- c:\windows\system32\powrprof.dll
2009-12-24 10:29 . 2004-01-01 09:06 27136 --sha-w- c:\windows\system32\config\systemprofile\ntload.dll
2009-12-23 10:39 . 2006-11-12 02:30 -------- d-----w- c:\program files\LimeWire
2009-12-22 05:28 . 2007-10-09 00:58 -------- d-----w- c:\documents and settings\Anne\Application Data\.purple
2009-12-17 13:35 . 2007-10-12 22:41 -------- d-----w- c:\documents and settings\Eric\Application Data\gtk-2.0
2009-12-17 11:10 . 2007-10-09 00:57 -------- d-----w- c:\program files\Pidgin
2009-12-15 05:35 . 2006-11-24 02:56 -------- d-----w- c:\program files\PokerStars.NET
2009-12-15 05:33 . 2004-01-01 10:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-10 18:12 . 2007-11-24 19:39 40952 ----a-w- c:\documents and settings\Eric\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-10 00:05 . 2006-11-11 22:23 -------- d-----w- c:\documents and settings\Anne\Application Data\AdobeUM
2009-12-06 04:09 . 2007-10-09 01:02 -------- d-----w- c:\documents and settings\Anne\Application Data\gtk-2.0
2009-12-04 15:21 . 2007-02-12 19:00 40952 ----a-w- c:\documents and settings\Anne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-30 14:39 . 2008-08-17 00:22 -------- d-----w- c:\documents and settings\Eric\Application Data\Skype
2009-11-30 14:38 . 2008-08-17 00:23 -------- d-----w- c:\documents and settings\Eric\Application Data\skypePM
2009-11-23 09:24 . 2009-11-23 09:24 2165 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\rsi.hotmail.com
2009-11-16 22:23 . 2006-11-17 20:15 -------- d-----w- c:\documents and settings\Eric\Application Data\LimeWire
2009-10-21 06:00 . 2007-11-24 18:52 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 06:00 . 2007-11-24 18:52 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-20 14:58 . 2007-11-24 18:52 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-19 09:41 . 2009-10-19 08:03 58 ----a-w- c:\windows\wp4.dat
2009-10-19 09:41 . 2009-10-19 08:03 3 ----a-w- c:\windows\wp3.dat
2009-10-13 10:53 . 2006-05-14 09:13 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-01-01 09:06 112128 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:54 . 2004-01-01 09:06 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-07 12:47 . 2009-10-07 12:47 2145 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\ows.messenger.msn.com
2009-10-02 12:03 . 2009-10-02 12:03 2095 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\login.live.com
2009-09-30 13:08 . 2009-09-30 13:08 1089 ----a-w- c:\documents and settings\Eric\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2007-11-15 21:05 . 2007-12-13 22:06 89088 ----a-w- c:\program files\mozilla firefox\plugins\atl71.dll
2007-11-15 21:05 . 2007-12-13 22:06 53248 ----a-w- c:\program files\mozilla firefox\plugins\boost_filesystem-vc71-mt-1_33_1.dll
2007-11-15 21:05 . 2007-12-13 22:06 499712 ----a-w- c:\program files\mozilla firefox\plugins\msvcp71.dll
2007-11-15 21:05 . 2007-12-13 22:06 348160 ----a-w- c:\program files\mozilla firefox\plugins\msvcr71.dll
2007-11-15 21:05 . 2007-12-13 22:06 110592 ----a-w- c:\program files\mozilla firefox\plugins\v22_base.dll
2007-11-15 21:05 . 2007-12-13 22:06 114688 ----a-w- c:\program files\mozilla firefox\plugins\v22_compression.dll
2007-11-15 21:05 . 2007-12-13 22:06 106496 ----a-w- c:\program files\mozilla firefox\plugins\v22_connect.dll
2007-11-15 21:05 . 2007-12-13 22:06 229376 ----a-w- c:\program files\mozilla firefox\plugins\v22_update.dll
2007-11-15 21:05 . 2007-12-13 22:06 196608 ----a-w- c:\program files\mozilla firefox\plugins\v22_utility.dll
2007-11-15 21:05 . 2007-12-13 22:06 159744 ----a-w- c:\program files\mozilla firefox\plugins\v22_winapplib.dll
2009-09-26 11:16 . 2009-09-26 11:16 22016 --sha-w- c:\windows\system32\yosutihe.exe
.

------- Sigcheck -------

[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB917422\SP2GDR\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP2QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP3GDR\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtServicePackUninstall$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB917422_0$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB935839$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\$NtUninstallKB959426$\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\ServicePackFiles\i386\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\system32\kernel32.dll
[-] 2009-12-24 . 91CE9DE762E9F01E7AA39AD89CF00971 . 994304 . . [5.1.2600.3541] . . c:\windows\system32\dllcache\kernel32.dll

[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\$NtServicePackUninstall$\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\LastGood\system32\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\powrprof.dll
[-] 2009-12-24 . BAAC49924BFF74A9223C74FB1D37A461 . 21504 . . [6.00.2900.2180] . . c:\windows\system32\powrprof.dll

[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB939653\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB942615\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB944533\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB947864\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB963027-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB969897-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB972260-IE7\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB974455\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP2QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP3GDR\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$hf_mig$\KB976325\SP3QFE\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtServicePackUninstall$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB947864$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB972260$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB974455$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\$NtUninstallKB976325$\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB953838-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB958215-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ie7updates\KB961260-IE7\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\ServicePackFiles\i386\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\wininet.dll
[-] 2009-12-24 . C24783F6DDCB579BB4383970283C0965 . 670208 . . [6.00.2900.3627] . . c:\windows\system32\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\sp]
@="{96AFBE69-C3B0-4b00-8578-D933D2896EE2}"
[HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2}]
2009-12-10 16:59 57856 ----a-w- c:\documents and settings\All Users\Application Data\Adobe\sp.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"00PCTFW"="c:\program files\PC Tools Firewall Plus\FirewallGUI.exe" [2009-11-27 2971608]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric^Start Menu^Programs^Startup^scandisk.dll]
path=c:\documents and settings\Eric\Start Menu\Programs\Startup\scandisk.dll
backup=c:\windows\pss\scandisk.dllStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Eric^Start Menu^Programs^Startup^scandisk.lnk]
path=c:\documents and settings\Eric\Start Menu\Programs\Startup\scandisk.lnk
backup=c:\windows\pss\scandisk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Bart Station]
2005-06-13 19:55 20480 ------w- c:\program files\PeoplePC\ISP6100\Bin\PPCOLink.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:56 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 22:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 04:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2004-08-04 04:31 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-04 04:32 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-01-01 11:53 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 03:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 10:00 132496 ----a-w- c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
2004-03-11 23:18 135168 ----a-w- c:\program files\eMachines Bay Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"fastnetsrv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\aim\\aim.exe"=
"c:\\Program Files\\PurePlay\\Poker\\PurePlayPoker.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\Anne\\My Documents\\silverchild_24\\VamPChaT\\mirc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\svchost.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\PeoplePC\\ISP6100\\Bin\\PPCOLink.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\PC Tools Firewall Plus\\FirewallGUI.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8080:TCP"= 8080:TCP:blacksilver
"5576:TCP"= 5576:TCP:spport
"27679:TCP"= 27679:TCP:spport
"12778:TCP"= 12778:TCP:spport
"24727:TCP"= 24727:TCP:spport
"24081:TCP"= 24081:TCP:spport
"18799:TCP"= 18799:TCP:spport
"5586:TCP"= 5586:TCP:spport
"18914:TCP"= 18914:TCP:spport
"5645:TCP"= 5645:TCP:spport
"10850:TCP"= 10850:TCP:spport
"29694:TCP"= 29694:TCP:spport
"14876:TCP"= 14876:TCP:spport
"29596:TCP"= 29596:TCP:spport
"10317:TCP"= 10317:TCP:spport
"24501:TCP"= 24501:TCP:spport
"16950:TCP"= 16950:TCP:spport
"5736:TCP"= 5736:TCP:spport
"15492:TCP"= 15492:TCP:spport
"7112:TCP"= 7112:TCP:spport
"9548:TCP"= 9548:TCP:spport
"9001:TCP"= 9001:TCP:spport
"29261:TCP"= 29261:TCP:spport
"19990:TCP"= 19990:TCP:spport
"24336:TCP"= 24336:TCP:spport
"25100:TCP"= 25100:TCP:spport
"19537:TCP"= 19537:TCP:spport
"13204:TCP"= 13204:TCP:spport
"14253:TCP"= 14253:TCP:spport
"14613:TCP"= 14613:TCP:spport
"5461:TCP"= 5461:TCP:spport
"25794:TCP"= 25794:TCP:spport
"6490:TCP"= 6490:TCP:spport
"27557:TCP"= 27557:TCP:spport
"11116:TCP"= 11116:TCP:spport
"26056:TCP"= 26056:TCP:spport
"14385:TCP"= 14385:TCP:spport
"21012:TCP"= 21012:TCP:spport
"26860:TCP"= 26860:TCP:spport
"8290:TCP"= 8290:TCP:spport
"13443:TCP"= 13443:TCP:spport
"10961:TCP"= 10961:TCP:spport
"28647:TCP"= 28647:TCP:spport
"24337:TCP"= 24337:TCP:spport
"25097:TCP"= 25097:TCP:spport
"21167:TCP"= 21167:TCP:spport
"10475:TCP"= 10475:TCP:spport
"5034:TCP"= 5034:TCP:spport
"22097:TCP"= 22097:TCP:spport
"17116:TCP"= 17116:TCP:spport
"17857:TCP"= 17857:TCP:spport
"13145:TCP"= 13145:TCP:spport
"21954:TCP"= 21954:TCP:spport
"24980:TCP"= 24980:TCP:spport
"27742:TCP"= 27742:TCP:spport
"10449:TCP"= 10449:TCP:spport

R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [12/20/2009 8:15 AM 233136]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [12/20/2009 8:15 AM 88040]
R2 SPService;SPService;c:\windows\system32\svchost.exe -k netsvc [1/1/2004 3:06 AM 14336]
R3 PCTFW-DNS;PCTools Firewall - DNS driver;c:\windows\system32\drivers\pctNdis-DNS.sys [12/20/2009 8:15 AM 32552]
R3 PCTFW-PacketFilter;PCTools Firewall - Packet filter driver;c:\windows\system32\drivers\pctNdis-PacketFilter.sys [12/20/2009 8:15 AM 70408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\drivers\pctNdis.sys [12/20/2009 8:15 AM 56512]
S3 CCCP106;CIF USB Camera (2110A);c:\windows\system32\drivers\cccp106.sys [11/27/2006 4:06 PM 227200]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [12/24/2009 7:49 AM 38224]
S3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [12/20/2009 8:15 AM 115216]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/15/2007 9:12 PM 24652]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - HIDSERV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
netsvc REG_MULTI_SZ SPService
.

blackdra · Dec 27, 2009

------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Settings,ProxyServer = localhost:8080
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\5f6awe7z.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Yu-Gi-Oh! (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.deviantart.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - proxy_sever
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - proxy_sever
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - proxy_sever
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - proxy_sever
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - proxy_sever
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSeymour.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPView22.dll
FF - plugin: c:\program files\SceneCaster\Version 3.11.16\NPSceneCaster.dll
FF - plugin: c:\program files\view22\version_4\NPView22.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 10:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL

- - - - - - - > 'explorer.exe'(2340)
c:\documents and settings\all users\application data\adobe\sp.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\Audiodev.dll
c:\windows\system32\WMVCore.DLL
c:\windows\system32\WMASF.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
.
Completion time: 2009-12-27 10:07:07
ComboFix-quarantined-files.txt 2009-12-27 16:07
ComboFix2.txt 2009-12-26 19:42

Pre-Run: 98,344,349,696 bytes free
Post-Run: 98,304,954,368 bytes free

- - End Of File - - 968F4B535E3B335B711FB60F891FC456

blackdra · Dec 27, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:31 AM, on 12/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PeoplePC\ISP6100\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6100\Browser\PPShared.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:8080
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 2733 bytes

blackdra · Dec 27, 2009

just as a side note internet explorer came back but still not connecting to the net would that be still a virus interaction or in this case something eles

peku006 · Dec 28, 2009

Hi blackdra

Have you tried
Manually restoring the Internet connection

1 - Run Malwarebytes' Anti-Malware

Open Malwarebytes' Anti-Malware
Select the Update tab
Click Check for Updates
After the update have been completed, Select the Scanner tab.
On the Scanner tab:
- Make sure the "Perform Full Scan" option is selected.
- Then click on the Scan button.
If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
Make sure that everything is checked, and click Remove Selected.
When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

2 - Status Check
Please reply with

the Malwarebytes' Anti-Malware Log

Thanks peku006

blackdra · Dec 28, 2009

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/28/2009 8:40:29 AM
mbam-log-2009-12-28 (08-40-29).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 239491
Time elapsed: 32 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0b0a76e7-ade1-41f4-b157-559605721b3a} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1c1ebef0-37cf-4408-b494-f6c000fd6ed7} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{339949fb-4a8c-4aa3-bd04-8b888d9a642a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf3e4737-a002-49ce-8e07-3460cb177a28} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{30fcf052-3649-4543-b924-ba7ab9facc8a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{050c8642-c1a9-480b-95a1-55fecb2b8c9a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{050c8642-c1a9-480b-95a1-55fecb2b8c9a} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\acroie.dll (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\linkreader.acroiebho (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\linkreader.acroiebho.1 (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mbt (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mfa (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\dcomclsid (Rogue.DesktopDefender) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\xmldm (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20091222-060240-256.dll (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\AcroIEHelpe.dll.vir (Spyware.Banker) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\notepad.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\scandisk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12242009_054046\C_Documents and Settings\Eric\ntload.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12242009_054046\C_WINDOWS\System32\msilojzb.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12242009_054046\C_WINDOWS\System32\msynldks.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12262009_082227\C_WINDOWS\system32\msaouahn.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12262009_082227\C_WINDOWS\system32\ndisdrv.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\_OTS\MovedFiles\12262009_082227\C_WINDOWS\system32\winsts.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\wp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\wp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

peku006 · Dec 28, 2009

Hi blackdra

1 - Clean temp files

Please download TFC to your desktop
Save any unsaved work. TFC will close all open application windows.
Double-click TFC.exe to run the program.
If prompted, click Yes to reboot.

NOTE: Save your work.TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

2 - Eset online scannner

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go here then click on:
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Eset online scannner report
2. a fresh HijackThis log

Thanks peku006

blackdra · Dec 29, 2009

haven troble getting the download to work i downloaded the installer for firefox but it saying that it cant get the update for the online scanner is there any way i can manually download from the site it self. also the link to restore the net connection didnt work as well

peku006 · Dec 29, 2009

Hi blackdra

Manually restoring the Internet connection

Click on the Start button.
Click on the Settings menu option.
Click on the Control Panel option.
When the Control Panel opens, double-click on the Network Connections icon. If your Control Panel is set to Category View, then double-click on Network and Internet Connections and then click on Network Connections at the bottom.
You will now see a list of available network connections. Locate the connection for your Wireless or Lan adapter and right-click on it.
ou will now see a menu similar to the image below. Simply click on the Repair menu option.

Repair Internet Connection

Let the repair process perform its tasks and when it has finished, your Internet connection should be working again.

Alternatively, if your network icon also appears on the Windows taskbar, then you can repair it by right-clicking on the icon and selecting Repair as shown below.

post back if it helped.

Thanks peku006

blackdra · Dec 30, 2009

the repair option dose not come up when i click on icon on eirther. can i run clamwin instead of the online scanner since i cant get it to run ?

peku006 · Dec 30, 2009

Hi

Yes, do it

peku006

blackdra · Dec 30, 2009

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:06 PM, on 12/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Tools Firewall Plus\FWService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Program Files\PeoplePC\ISP6100\Browser\Bartshel.exe
C:\PROGRA~1\PeoplePC\ISP6100\Browser\PPShared.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\hp\digital imaging\smart web printing\hpswp_clipbook.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = peoplepc online:8080
O2 - BHO: (no name) - {C5B24B16-23F2-41AD-F4E4-00ABC39C0004} - (no file)
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKUS\S-1-5-21-1439159683-283072792-1928842331-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Anne')
O4 - HKUS\S-1-5-21-1439159683-283072792-1928842331-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Anne')
O4 - HKUS\S-1-5-21-1439159683-283072792-1928842331-1006\..\Run: [notepad] rundll32.exe C:\DOCUME~1\Anne\ntload.dll,_IWMPEvents@0 (User 'Anne')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - c:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD03FBF-A7CC-4378-81E6-472CDA2CFCE4}: NameServer = 207.69.188.167 207.69.188.166
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 3552 bytes

blackdra · Dec 30, 2009

Scan Started Wed Dec 30 07:18:26 2009

-------------------------------------------------------------------------------

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a6adc2be8539f3034d5247e6dfa3267_ab562468-bd0a-4927-81f6-bddba689b279: Permission denied

C:\hiberfil.sys: Permission denied

C:\pagefile.sys: Permission denied

C:\WINDOWS\SoftwareDistribution\EventCache\5CB96EDA-12AC-4F6A-A2BE-78AB721BFBC7.bin: Permission denied

C:\WINDOWS\system32\CatRoot2\tmp.edb: Permission denied

C:\WINDOWS\system32\config\default: Permission denied

C:\WINDOWS\system32\config\SAM: Permission denied

C:\WINDOWS\system32\config\SECURITY: Permission denied

C:\WINDOWS\system32\config\software: Permission denied

C:\WINDOWS\system32\config\system: Permission denied

C:\Documents and Settings\Eric\Desktop\computer fix\avenger\avenger.exe: Trojan.Agent-119128 FOUND

----------- SCAN SUMMARY -----------

Known viruses: 677872

Engine version: 0.95.3

Scanned directories: 11631

Scanned files: 91035

Infected files: 1

Data scanned: 21191.66 MB

Data read: 19776.76 MB (ratio 1.07:1)

Time: 11600.500 sec (193 m 20 s)

--------------------------------------

Completed

--------------------------------------

blackdra · Dec 30, 2009

woo got ie to work had to play around with the internet setting on it

peku006 · Dec 31, 2009

Hi blackdra

all the logs look good ,how is your computer behaving now?

Thanks peku006

AHHHHH......i need help!!

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

New member

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

Emeritus- Security Expert

New member

New member

New member

Emeritus- Security Expert