Jump to content

Malwarebytes

Persnickety Spyware.OnlineGames

- - - - -
Started by Norma E Guzman, Jul 04 2009 11:12 PM

11 replies to this topic

#1
Norma E Guzman
Posted 04 July 2009 - 11:12 PM

    New Member

  • Members
  • Pip
  • 7 posts
I am fixing a friend's computer and Malwarebytes detected this:

HKLM\Software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}

I tried to remove it but it keeps coming even after reboot. When I rescan it reappears. System restore is off.

I also ran Super Anitispyware first and it gave me this log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/21/2009 at 09:11 PM

Application Version : 4.26.1004

Core Rules Database Version : 3949
Trace Rules Database Version: 1891

Scan type : Complete Scan
Total Scan Time : 00:34:17

Memory items scanned : 514
Memory threats detected : 0
Registry items scanned : 4847
Registry threats detected : 5
File items scanned : 16943
File threats detected : 8

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}
HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32
HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\E8MAIN0.DLL
HKCR\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}

Just like with Malwarebytes I try to remove it but it's still there after reboot and rescan.
If I try to delete the keys from the registry manually it doesn't allow it, it says: Cannot delete {BB4C402F-882A-4526-8C08-51278EA437C1} Error while deleting the key.
The entry below that says: InprocServer32 if I touch it I get this: Cannot open InprocServer32: Error while opening key.

Here is a Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:45 PM, on 7/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\StandAloneSoftware\DeskSave8-SavesIconsPositions\DeskSave.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sa\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [readericon] "C:\Program Files\Digital Media Reader\readericon45G.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] "RTHDCPL.EXE"
O4 - HKLM\..\Run: [Recguard] "%WINDIR%\SMINST\RECGUARD.EXE"
O4 - HKLM\..\Run: [Ulead AutoDetector] "C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] "%systemroot%\system32\dumprep" 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DeskSave] C:\StandAloneSoftware\DeskSave8-SavesIconsPositions\DeskSave.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} (System Requirements Lab) - http://www.srtest.co...sreqlab_ind.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/...can8/oscan8.cab
O16 - DPF: {C237A80A-4C55-4C68-BAA9-CBE4408D12B2} (F-Secure Online Scanner 4.0 Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Servicio de actualización de Google (gupdate1c9f241b04d102a) (gupdate1c9f241b04d102a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8549 bytes

Any ideas how to remove this nasty?

#2
Norma E Guzman
Posted 04 July 2009 - 11:24 PM

    New Member

  • Members
  • Pip
  • 7 posts
In addition to the software I mentioned up there that I tried to use to remove Spyware.OnlineGames I forgot to mention that I have ESET Nod32 Smart Security Installed and I ran full scan with it, I used Bitdefender online and it found other viruses that it removed but it didn't fix that one, tried Adaware and it couldn't remove it and neither Spybot search and destroy. I removed those after I used them one by one and I did the same with Super Antispyware except that I saved the log that I showed you.

#3
AdvancedSetup
Posted 06 July 2009 - 03:00 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#4
AdvancedSetup
Posted 07 July 2009 - 01:58 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please post a status update on this.

Thanks
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#5
Norma E Guzman
Posted 07 July 2009 - 09:40 AM

    New Member

  • Members
  • Pip
  • 7 posts
Did the procedure as indicated and this is the log:

ComboFix 09-07-06.02 - sa 07/07/2009 4:05.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.167 [GMT -4.5:30]
Running from: c:\documents and settings\sa\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\37fb7.msi

.
((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 09:39 . 2009-07-07 04:40 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-06 09:28 . 2009-07-06 08:51 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 09:10 . 2009-07-06 09:13 117760 ----a-w- c:\documents and settings\sa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 09:09 . 2009-07-06 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-06 09:09 . 2009-07-06 09:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-06 09:09 . 2009-07-06 09:09 -------- d-----w- c:\documents and settings\sa\Application Data\SUPERAntiSpyware.com
2009-07-06 09:08 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-06 08:55 . 2009-07-06 08:55 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\AVG Security Toolbar
2009-07-06 08:51 . 2009-07-06 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-06 08:51 . 2009-07-06 08:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-06 08:51 . 2009-07-06 08:51 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 08:51 . 2009-07-06 08:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-06 08:51 . 2009-07-06 21:50 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-06 08:51 . 2009-07-06 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-06 08:50 . 2009-07-06 08:50 -------- d-----w- c:\program files\AVG
2009-07-06 08:50 . 2009-07-06 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-05 22:29 . 2009-07-05 22:29 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Mozilla
2009-07-04 21:56 . 2009-07-04 22:03 -------- d-----w- c:\documents and settings\sa\Application Data\gtk-2.0
2009-07-04 20:42 . 2009-07-04 20:42 -------- d-----w- c:\documents and settings\sa\.thumbnails
2009-07-04 20:10 . 2009-07-04 22:51 -------- d-----w- c:\documents and settings\sa\.gimp-2.6
2009-07-04 20:09 . 2009-07-04 20:10 -------- d-----w- c:\documents and settings\sa\.gegl-0.0
2009-07-04 20:08 . 2009-07-04 20:08 -------- d-----w- c:\program files\GIMP-2.0
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Magix
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\sa\Application Data\MAGIX
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Xara
2009-07-04 16:09 . 2009-07-04 16:09 -------- d-----w- c:\program files\Xara
2009-07-04 16:09 . 2009-07-04 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Xara
2009-07-04 04:52 . 2009-07-04 04:52 686080 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-07-04 04:52 . 2009-07-04 04:52 568832 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-07-04 04:52 . 2009-07-04 04:52 655872 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-07-04 04:52 . 2009-07-04 04:52 583168 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-07-04 04:52 . 2009-07-04 04:52 224768 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcm90.dll
2009-07-03 04:52 . 2009-07-03 04:52 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Identities
2009-07-02 21:57 . 2009-07-02 21:57 -------- d-s---w- c:\documents and settings\milli\UserData
2009-07-02 20:42 . 2009-07-02 21:07 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-02 20:40 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-02 20:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-02 20:35 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-02 20:35 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-02 20:34 . 2008-06-11 08:58 2330624 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2009-07-02 20:34 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-02 20:34 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-02 20:32 . 2008-10-03 10:15 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2009-07-02 20:32 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-02 20:31 . 2008-09-04 16:42 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-02 20:30 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-02 20:27 . 2001-08-17 19:52 18688 -c--a-w- c:\windows\system32\dllcache\cdaudio.sys
2009-07-02 20:27 . 2001-08-17 19:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2009-07-02 06:37 . 2009-07-02 06:37 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\toaster
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\ATI
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\sa\Application Data\ATI
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-28 19:50 . 2009-06-28 19:50 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-28 19:43 . 2009-06-28 19:44 -------- d-----w- c:\program files\ATI Technologies
2009-06-28 19:42 . 2009-06-28 19:42 -------- d-----w- C:\ATI
2009-06-28 19:15 . 2009-06-28 19:24 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-06-28 19:15 . 2009-06-28 19:15 -------- d-----w- c:\documents and settings\sa\Application Data\SystemRequirementsLab
2009-06-28 18:55 . 2009-06-28 18:55 -------- d-----w- C:\Python26
2009-06-26 19:33 . 2009-06-26 19:33 -------- d-----w- c:\documents and settings\sa\Application Data\Corel
2009-06-26 18:40 . 2009-07-05 21:23 1 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-26 18:38 . 2009-06-26 18:38 -------- d-----w- c:\documents and settings\sa\Application Data\OpenOffice.org
2009-06-26 13:22 . 2009-06-26 13:22 -------- d-----w- c:\program files\JRE
2009-06-26 13:22 . 2009-06-26 13:22 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-26 08:05 . 2009-06-26 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-26 08:05 . 2009-06-26 08:05 65536 ----a-r- c:\documents and settings\sa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2009-06-26 08:05 . 2009-06-26 08:05 10134 ----a-r- c:\documents and settings\sa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\program files\Corel
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\program files\Common Files\Corel
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-06-26 07:48 . 2009-06-26 17:52 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-22 18:18 . 2009-06-22 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\documents and settings\sa\Application Data\ZipGenius
2009-06-22 18:09 . 2009-06-22 18:09 -------- d-----w- c:\program files\ZipGenius 6
2009-06-22 18:08 . 2009-06-22 18:08 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\TBlauhut
2009-06-22 18:08 . 2009-06-28 23:23 -------- d-----w- C:\StandAloneSoftware
2009-06-22 18:00 . 2009-06-26 13:20 -------- d-----w- c:\temp\TemporaryInstall
2009-06-22 16:45 . 2009-06-22 16:45 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-06-22 16:42 . 2009-06-22 16:42 -------- d-----w- c:\windows\system32\Adobe
2009-06-22 16:42 . 2004-08-17 00:40 16384 ----a-w- c:\windows\system32\FileOps.exe
2009-06-22 04:30 . 2009-06-17 15:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 04:30 . 2009-06-22 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 04:30 . 2009-06-17 15:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 03:39 . 2009-06-22 03:39 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\ESET
2009-06-22 02:59 . 2009-06-22 02:59 -------- d-----w- c:\documents and settings\sa\Application Data\ESET
2009-06-22 02:58 . 2009-06-22 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-22 02:47 . 2009-06-22 02:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-21 08:28 . 2009-06-21 08:28 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-21 07:36 . 2009-06-27 01:01 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Adobe
2009-06-21 07:32 . 2009-06-26 12:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-21 07:27 . 2009-06-21 07:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-21 07:26 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-06-21 07:26 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-06-21 07:26 . 2009-06-21 07:26 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-06-21 07:23 . 2009-06-21 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-21 06:11 . 2009-06-21 22:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 23:39 . 2009-06-20 23:39 -------- d-----w- C:\N360_BACKUP
2009-06-20 22:37 . 2009-06-22 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-20 22:16 . 2009-06-20 22:34 -------- d-----w- c:\documents and settings\sa\Application Data\GetRightToGo
2009-06-20 21:32 . 2009-06-20 21:39 -------- d-----w- c:\documents and settings\sa\DoctorWeb
2009-06-20 05:04 . 2009-07-07 08:43 25052192 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-20 05:04 . 2009-07-07 08:42 362528 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-20 03:14 . 2009-06-20 22:37 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Downloaded Installations
2009-06-19 20:55 . 2009-06-19 20:55 -------- d-----w- c:\program files\MSSOAP
2009-06-19 20:54 . 2009-06-20 06:43 -------- d-----w- c:\documents and settings\sa\Application Data\Webroot
2009-06-19 20:53 . 2009-06-19 20:53 164 ----a-w- c:\windows\install.dat
2009-06-19 18:48 . 2009-06-28 12:26 -------- d-----w- c:\documents and settings\sa\.housecall6.6
2009-06-19 18:46 . 2009-06-19 18:46 -------- d-----w- c:\windows\Sun
2009-06-19 18:35 . 2009-06-19 18:35 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-19 18:35 . 2009-06-19 18:35 152576 ----a-w- c:\documents and settings\sa\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-19 09:02 . 2009-06-19 09:02 -------- d-----w- c:\program files\MSXML 4.0
2009-06-19 08:42 . 2009-07-05 04:44 -------- d-----w- c:\program files\Panda Security
2009-06-19 04:01 . 2009-06-19 04:01 -------- d-----w- c:\documents and settings\sa\Application Data\Malwarebytes
2009-06-19 04:01 . 2009-06-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 03:44 . 2009-06-19 03:44 -------- d-----w- c:\program files\CCleaner
2009-06-18 22:29 . 2009-06-18 22:29 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\toaster
2009-06-18 22:27 . 2009-07-05 03:50 -------- d-----w- C:\Temporary
2009-06-18 22:06 . 2009-06-21 22:53 -------- d-----w- c:\windows\BDOSCAN8
2009-06-18 20:39 . 2009-06-18 20:39 -------- d-s---w- c:\documents and settings\sa\UserData
2009-06-13 04:46 . 2009-06-13 04:48 -------- d-----w- C:\DPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 08:47 . 2006-06-19 04:25 64648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 08:44 . 2009-06-20 05:04 33932 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-06 08:44 . 2009-06-20 05:04 278900 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-06 01:01 . 2008-12-31 04:03 -------- d-----w- c:\program files\Google
2009-07-05 01:21 . 2009-07-05 01:21 -------- d-----w- c:\program files\Broadcom
2009-07-05 01:21 . 2009-07-05 01:20 -------- d-----w- c:\program files\Wireless-N PCI Adapter
2009-07-05 01:20 . 2008-12-31 04:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 13:21 . 2008-12-31 04:14 -------- d-----w- c:\program files\Java
2009-06-26 08:05 . 2008-12-31 04:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-21 08:28 . 2008-12-31 04:32 -------- d-----w- c:\program files\Common Files\Real
2009-06-20 23:35 . 2009-06-02 03:47 -------- d-----w- c:\documents and settings\sa\Application Data\AOL
2009-06-20 22:36 . 2008-12-31 04:31 -------- d-----w- c:\program files\Pure Networks
2009-06-08 21:48 . 2009-03-21 13:22 402 ----a-w- c:\documents and settings\sa\Application Data\wklnhst.dat
2009-06-07 16:34 . 2009-02-19 03:21 -------- d-----w- c:\documents and settings\sa\Application Data\McAfee.com Personal Firewall
2009-06-04 22:08 . 2009-01-18 18:17 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\Motorola Phone Tools\faxres.cmd
2009-06-02 01:38 . 2009-06-02 01:30 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2009-06-02 01:33 . 2009-05-28 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-06-02 01:30 . 2009-06-02 01:30 -------- d-----w- c:\program files\JumpStart Spy Masters
2009-05-28 02:12 . 2009-05-28 02:12 -------- d-----w- c:\program files\JumpStart
2009-05-28 01:48 . 2009-05-28 01:30 -------- d-----w- c:\program files\Blaster
2009-05-28 01:07 . 2009-05-07 19:13 -------- d-----w- c:\program files\Disney Interactive
2009-05-28 00:38 . 2009-05-07 19:13 933 ----a-w- c:\windows\EReg515.dat
2009-05-28 00:37 . 2009-05-28 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Disney Interactive
2009-05-25 03:20 . 2009-05-25 03:18 -------- d-----w- c:\program files\InterActual
2009-05-22 22:48 . 2009-01-18 04:17 -------- d-----w- c:\program files\Avanquest update
2009-05-22 22:48 . 2009-01-18 18:23 -------- d-----w- c:\program files\Motorola Phone Tools
2009-05-22 19:02 . 2009-02-27 00:07 502 ----a-w- c:\documents and settings\milli\Application Data\wklnhst.dat
2009-05-16 22:35 . 2009-05-14 02:28 25600 ----a-w- c:\windows\system32\drivers\usbsermptxp.sys
2009-05-16 01:18 . 2009-05-14 02:28 9232 ----a-w- c:\documents and settings\milli\mqdmmdfl.sys
2009-05-16 01:18 . 2009-05-14 02:28 92064 ----a-w- c:\documents and settings\milli\mqdmmdm.sys
2009-05-16 01:18 . 2009-05-14 02:28 79328 ----a-w- c:\documents and settings\milli\mqdmserd.sys
2009-05-16 01:18 . 2009-05-14 02:28 66656 ----a-w- c:\documents and settings\milli\mqdmbus.sys
2009-05-16 01:18 . 2009-05-14 02:28 6208 ----a-w- c:\documents and settings\milli\mqdmcmnt.sys
2009-05-16 01:18 . 2009-05-14 02:28 5936 ----a-w- c:\documents and settings\milli\mqdmwhnt.sys
2009-05-16 01:18 . 2009-05-14 02:28 4048 ----a-w- c:\documents and settings\milli\mqdmcr.sys
2009-05-16 01:18 . 2009-05-14 02:28 25600 ----a-w- c:\documents and settings\milli\usbsermptxp.sys
2009-05-16 01:18 . 2009-05-14 02:28 22768 ----a-w- c:\documents and settings\milli\usbsermpt.sys
2009-05-15 23:44 . 2009-05-15 23:44 -------- d-----w- c:\documents and settings\milli\Application Data\Ulead Systems
2009-05-15 23:42 . 2009-05-15 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-05-15 23:41 . 2009-05-15 23:41 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-05-15 23:41 . 2009-05-15 23:41 -------- d-----w- c:\program files\Ulead Systems
2009-05-15 22:52 . 2009-05-15 22:52 -------- d-----w- c:\documents and settings\Guest\Application Data\WildTangent
2009-05-07 15:44 . 2008-12-23 21:13 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:31 . 2006-06-17 09:23 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2008-12-23 21:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2006-06-17 09:23 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2008-12-23 21:15 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 03:12 . 2009-04-15 03:12 2134016 ----a-w- c:\windows\system32\python26.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-21 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DeskSave"="c:\standalonesoftware\DeskSave8-SavesIconsPositions\DeskSave.exe" [2009-06-22 82944]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-06 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-31 169984]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe" [2003-02-28 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-31 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-19 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-21 185896]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-04-25 1273856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\sa\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-12-31 2168360]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2008-12-31 729088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-06 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/6/2009 4:21 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/6/2009 4:21 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/6/2009 4:20 AM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/6/2009 4:20 AM 298776]
R2 WMP300NSvc;WMP300NSvc;c:\program files\Wireless-N PCI Adapter\WLService.exe [7/4/2009 8:51 PM 53307]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
S2 gupdate1c9f241b04d102a;Servicio de actualización de Google (gupdate1c9f241b04d102a);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 2:57 AM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVG8EMC
*NewlyCreated* - AVG8WD
*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGMFX86
*NewlyCreated* - AVGTDIX
*NewlyCreated* - SASENUM
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-21 07:22]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 07:26]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 07:26]

2008-12-31 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]

2008-12-31 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\sa\Application Data\Mozilla\Firefox\Profiles\9ah900kr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 04:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32]
@DACL=(02 0000)
@="c:\\WINDOWS\\system32\\e8main0.dll"
"ThreadingModel"="Apartment"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2009-07-07 4:16
ComboFix-quarantined-files.txt 2009-07-07 08:46

Pre-Run: 95,774,932,992 bytes free
Post-Run: 96,026,443,776 bytes free

360 --- E O F --- 2009-07-04 20:44


By the way that file up there indicated in the locked registry keys area (this following one):

c:\WINDOWS\system32\e8main0.dll

I can't see it from the file explorer, it's not that I can't delete it, I can't see it, even if I choose all the see hidden system files and operating system files folder options.

#6
Norma E Guzman
Posted 07 July 2009 - 09:56 AM

    New Member

  • Members
  • Pip
  • 7 posts
I don't know if there is a file there with such a name, in the SuperAntispyware report it also shows such an entry, if you look at the first post I did you see it there but there doesn't seem to be a file there called that, I even tried the experiment of writing a text file with the notepad file with a few letters in it with that exact name (e8main0.dll) and I put it in the system 32 directory to see if windows allowed it and it did and then I deleted the fake text file with no problem so why do they report the existance of such a file?

#7
AdvancedSetup
Posted 07 July 2009 - 10:03 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines
KILLALL::
RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}\InprocServer32]
Registry::
[-HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BB4C402F-882A-4526-8C08-51278EA437C1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"=-
File::
C:\Windows\system32\e8main0.dll
C:\Windows\AhnRpta.exe
C:\Windows\c.exe
c:\documents and settings\sa\Local Settings\temp\*.txt

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:
Posted Image
  • Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  • Disconnect from the Internet.
  • Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  • A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  • It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
    When the scan completes Notepad will open with with your results log open. Do a File, Exit.
A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
    Download and install CCleaner
  • CCleaner
  • Double-click on the downloaded file "ccsetup220_slim.exe" and install the application.
  • Keep the default installation folder "C:\Program Files\CCleaner"
  • Click finish when done and close ALL PROGRAMS
  • Start the CCleaner program.
  • Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  • Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  • Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  • Click on Run Cleaner button on the bottom right side of the program.
  • Click OK to any prompts

STEP 03
Temporarily disable your current Anti-Virus and run this Online AV scanner.

PANDA ONLINE SCAN

Please go >here< to run Panda's ActiveScan
  • Once you are on the Panda site, click the Scan your PC now button
  • A new window will open...click the Scan Now button
  • Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  • Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  • When the scan has finished, click on Export To
  • Save the file as Activescan.txt to your Desktop
  • Close the Activescan window then go to your Desktop
  • Double-click on Activescan.txt and it will open in Notepad
  • In Notepad, click Edit > Select all, then Edit > Copy
  • Reply to this thread and click Ctrl+V to paste the log in your reply
PANDA ONLINE SCAN
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#8
Norma E Guzman
Posted 07 July 2009 - 08:11 PM

    New Member

  • Members
  • Pip
  • 7 posts
I followed the first step of your procedure by the book. I did notice a difference in the registry afterward, now, the keys are still there but they have nothing listed underneath. No InprocServer 32 listing underneath. The keys still appears in the two places mentioned in the original SuperAntispyware log (in HKLM and HKCR) but there is nothing underneath them. I was tempted to try to delete them to see what happened but I rather wait for your answer. Also, can I run SuperAntispyware to see if it's gone before proceding with the other steps? Here is the new log:

ComboFix 09-07-07.03 - sa 07/07/2009 14:59.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.446.139 [GMT -4.5:30]
Running from: c:\documents and settings\sa\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\sa\Desktop\CFscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\windows\AhnRpta.exe"
"c:\windows\c.exe"
"c:\windows\system32\e8main0.dll"
.

((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 09:39 . 2009-07-07 04:40 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-06 09:28 . 2009-07-06 08:51 2052888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll
2009-07-06 09:10 . 2009-07-07 19:39 117760 ----a-w- c:\documents and settings\sa\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-06 09:09 . 2009-07-06 09:09 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-07-06 09:09 . 2009-07-06 09:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-06 09:09 . 2009-07-06 09:09 -------- d-----w- c:\documents and settings\sa\Application Data\SUPERAntiSpyware.com
2009-07-06 09:08 . 2009-07-06 09:08 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-06 08:55 . 2009-07-06 08:55 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\AVG Security Toolbar
2009-07-06 08:51 . 2009-07-06 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-07-06 08:51 . 2009-07-06 08:51 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-07-06 08:51 . 2009-07-06 08:51 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-06 08:51 . 2009-07-06 08:51 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-07-06 08:51 . 2009-07-07 16:35 -------- d-----w- c:\windows\system32\drivers\Avg
2009-07-06 08:51 . 2009-07-06 08:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-06 08:50 . 2009-07-06 08:50 -------- d-----w- c:\program files\AVG
2009-07-06 08:50 . 2009-07-06 08:50 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-05 22:29 . 2009-07-05 22:29 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Mozilla
2009-07-04 21:56 . 2009-07-04 22:03 -------- d-----w- c:\documents and settings\sa\Application Data\gtk-2.0
2009-07-04 20:42 . 2009-07-04 20:42 -------- d-----w- c:\documents and settings\sa\.thumbnails
2009-07-04 20:10 . 2009-07-04 22:51 -------- d-----w- c:\documents and settings\sa\.gimp-2.6
2009-07-04 20:09 . 2009-07-04 20:10 -------- d-----w- c:\documents and settings\sa\.gegl-0.0
2009-07-04 20:08 . 2009-07-04 20:08 -------- d-----w- c:\program files\GIMP-2.0
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Magix
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\sa\Application Data\MAGIX
2009-07-04 16:10 . 2009-07-04 16:10 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Xara
2009-07-04 16:09 . 2009-07-04 16:09 -------- d-----w- c:\program files\Xara
2009-07-04 16:09 . 2009-07-04 16:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Xara
2009-07-04 04:52 . 2009-07-04 04:52 686080 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-07-04 04:52 . 2009-07-04 04:52 568832 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-07-04 04:52 . 2009-07-04 04:52 655872 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-07-04 04:52 . 2009-07-04 04:52 583168 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-07-04 04:52 . 2009-07-04 04:52 224768 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\A6.tmp_\sun-pdfimport.oxt\msvcm90.dll
2009-07-03 04:52 . 2009-07-03 04:52 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Identities
2009-07-02 21:57 . 2009-07-02 21:57 -------- d-s---w- c:\documents and settings\milli\UserData
2009-07-02 20:42 . 2009-07-02 21:07 -------- d-----w- c:\windows\system32\CatRoot_bak
2009-07-02 20:40 . 2008-06-13 13:10 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-07-02 20:40 . 2008-06-13 13:10 272128 ------w- c:\windows\system32\drivers\bthport.sys
2009-07-02 20:35 . 2008-05-08 12:28 202752 -c----w- c:\windows\system32\dllcache\rmcast.sys
2009-07-02 20:35 . 2008-10-24 11:10 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2009-07-02 20:34 . 2008-06-11 08:58 2330624 -c----w- c:\windows\system32\dllcache\WMVCore.dll
2009-07-02 20:34 . 2008-05-01 14:30 331776 -c----w- c:\windows\system32\dllcache\msadce.dll
2009-07-02 20:34 . 2008-04-11 18:50 683520 -c----w- c:\windows\system32\dllcache\inetcomm.dll
2009-07-02 20:32 . 2008-10-03 10:15 247326 -c----w- c:\windows\system32\dllcache\strmdll.dll
2009-07-02 20:32 . 2008-10-15 16:57 332800 -c----w- c:\windows\system32\dllcache\netapi32.dll
2009-07-02 20:31 . 2008-09-04 16:42 1106944 -c----w- c:\windows\system32\dllcache\msxml3.dll
2009-07-02 20:30 . 2008-04-21 10:02 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-02 20:27 . 2001-08-17 19:52 18688 -c--a-w- c:\windows\system32\dllcache\cdaudio.sys
2009-07-02 20:27 . 2001-08-17 19:52 18688 ----a-w- c:\windows\system32\drivers\cdaudio.sys
2009-07-02 06:37 . 2009-07-02 06:37 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\toaster
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\ATI
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\sa\Application Data\ATI
2009-06-28 19:52 . 2009-06-28 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\ATI
2009-06-28 19:50 . 2009-06-28 19:50 0 ----a-w- c:\windows\ativpsrm.bin
2009-06-28 19:43 . 2009-06-28 19:44 -------- d-----w- c:\program files\ATI Technologies
2009-06-28 19:42 . 2009-06-28 19:42 -------- d-----w- C:\ATI
2009-06-28 19:15 . 2009-06-28 19:24 -------- d-----w- c:\program files\SystemRequirementsLab
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_d.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_c.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_b.dll
2009-06-28 19:15 . 2009-06-28 19:15 255488 ----a-w- c:\documents and settings\sa\Application Data\SystemRequirementsLab\SRLProxy_srl_4_0_0_4_a.dll
2009-06-28 19:15 . 2009-06-28 19:15 -------- d-----w- c:\documents and settings\sa\Application Data\SystemRequirementsLab
2009-06-28 18:55 . 2009-06-28 18:55 -------- d-----w- C:\Python26
2009-06-26 19:33 . 2009-06-26 19:33 -------- d-----w- c:\documents and settings\sa\Application Data\Corel
2009-06-26 18:40 . 2009-07-05 21:23 1 ----a-w- c:\documents and settings\sa\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-26 18:38 . 2009-06-26 18:38 -------- d-----w- c:\documents and settings\sa\Application Data\OpenOffice.org
2009-06-26 13:22 . 2009-06-26 13:22 -------- d-----w- c:\program files\JRE
2009-06-26 13:22 . 2009-06-26 13:22 -------- d-----w- c:\program files\OpenOffice.org 3
2009-06-26 08:05 . 2009-06-26 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-06-26 08:05 . 2009-06-26 08:05 65536 ----a-r- c:\documents and settings\sa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
2009-06-26 08:05 . 2009-06-26 08:05 10134 ----a-r- c:\documents and settings\sa\Application Data\Microsoft\Installer\{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}\ARPPRODUCTICON.exe
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\program files\Corel
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\program files\Common Files\Corel
2009-06-26 08:02 . 2009-06-26 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Corel
2009-06-26 07:48 . 2009-06-26 17:52 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-22 18:18 . 2009-06-22 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\documents and settings\sa\Application Data\ZipGenius
2009-06-22 18:09 . 2009-06-22 18:09 -------- d-----w- c:\program files\ZipGenius 6
2009-06-22 18:08 . 2009-06-22 18:08 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\TBlauhut
2009-06-22 18:08 . 2009-06-28 23:23 -------- d-----w- C:\StandAloneSoftware
2009-06-22 18:00 . 2009-06-26 13:20 -------- d-----w- c:\temp\TemporaryInstall
2009-06-22 16:45 . 2009-06-22 16:45 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2009-06-22 16:42 . 2009-06-22 16:42 -------- d-----w- c:\windows\system32\Adobe
2009-06-22 16:42 . 2004-08-17 00:40 16384 ----a-w- c:\windows\system32\FileOps.exe
2009-06-22 04:30 . 2009-06-17 15:57 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 04:30 . 2009-06-22 04:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 04:30 . 2009-06-17 15:57 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 03:39 . 2009-06-22 03:39 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\ESET
2009-06-22 02:59 . 2009-06-22 02:59 -------- d-----w- c:\documents and settings\sa\Application Data\ESET
2009-06-22 02:58 . 2009-06-22 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-06-22 02:47 . 2009-06-22 02:47 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-21 08:28 . 2009-06-21 08:28 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-21 07:36 . 2009-06-27 01:01 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Adobe
2009-06-21 07:32 . 2009-06-26 12:09 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-21 07:27 . 2009-06-21 07:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-21 07:26 . 2008-11-20 19:19 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-06-21 07:26 . 2008-11-20 19:19 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-06-21 07:26 . 2009-06-21 07:26 -------- d-----w- c:\windows\system32\IOSUBSYS
2009-06-21 07:23 . 2009-06-21 09:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-21 06:11 . 2009-06-21 22:20 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-20 23:39 . 2009-06-20 23:39 -------- d-----w- C:\N360_BACKUP
2009-06-20 22:37 . 2009-06-22 02:41 -------- d-----w- c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-20 22:16 . 2009-06-20 22:34 -------- d-----w- c:\documents and settings\sa\Application Data\GetRightToGo
2009-06-20 21:32 . 2009-06-20 21:39 -------- d-----w- c:\documents and settings\sa\DoctorWeb
2009-06-20 05:04 . 2009-07-07 19:41 369184 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-20 05:04 . 2009-07-07 19:39 25145376 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-20 03:14 . 2009-06-20 22:37 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\Downloaded Installations
2009-06-19 20:55 . 2009-06-19 20:55 -------- d-----w- c:\program files\MSSOAP
2009-06-19 20:54 . 2009-06-20 06:43 -------- d-----w- c:\documents and settings\sa\Application Data\Webroot
2009-06-19 20:53 . 2009-06-19 20:53 164 ----a-w- c:\windows\install.dat
2009-06-19 18:48 . 2009-06-28 12:26 -------- d-----w- c:\documents and settings\sa\.housecall6.6
2009-06-19 18:46 . 2009-06-19 18:46 -------- d-----w- c:\windows\Sun
2009-06-19 18:35 . 2009-06-19 18:35 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-19 18:35 . 2009-06-19 18:35 152576 ----a-w- c:\documents and settings\sa\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-19 09:02 . 2009-06-19 09:02 -------- d-----w- c:\program files\MSXML 4.0
2009-06-19 08:42 . 2009-07-05 04:44 -------- d-----w- c:\program files\Panda Security
2009-06-19 04:01 . 2009-06-19 04:01 -------- d-----w- c:\documents and settings\sa\Application Data\Malwarebytes
2009-06-19 04:01 . 2009-06-19 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 03:44 . 2009-06-19 03:44 -------- d-----w- c:\program files\CCleaner
2009-06-18 22:29 . 2009-06-18 22:29 -------- d-----w- c:\documents and settings\sa\Local Settings\Application Data\toaster
2009-06-18 22:27 . 2009-07-05 03:50 -------- d-----w- C:\Temporary
2009-06-18 22:06 . 2009-06-21 22:53 -------- d-----w- c:\windows\BDOSCAN8
2009-06-18 20:39 . 2009-06-18 20:39 -------- d-s---w- c:\documents and settings\sa\UserData
2009-06-13 04:46 . 2009-06-13 04:48 -------- d-----w- C:\DPS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 19:36 . 2009-06-20 05:04 35588 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-07-07 19:36 . 2009-06-20 05:04 337772 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-06 08:47 . 2006-06-19 04:25 64648 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-06 01:01 . 2008-12-31 04:03 -------- d-----w- c:\program files\Google
2009-07-05 01:21 . 2009-07-05 01:21 -------- d-----w- c:\program files\Broadcom
2009-07-05 01:21 . 2009-07-05 01:20 -------- d-----w- c:\program files\Wireless-N PCI Adapter
2009-07-05 01:20 . 2008-12-31 04:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-26 13:21 . 2008-12-31 04:14 -------- d-----w- c:\program files\Java
2009-06-26 08:05 . 2008-12-31 04:05 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-21 08:28 . 2008-12-31 04:32 -------- d-----w- c:\program files\Common Files\Real
2009-06-20 23:35 . 2009-06-02 03:47 -------- d-----w- c:\documents and settings\sa\Application Data\AOL
2009-06-20 22:36 . 2008-12-31 04:31 -------- d-----w- c:\program files\Pure Networks
2009-06-08 21:48 . 2009-03-21 13:22 402 ----a-w- c:\documents and settings\sa\Application Data\wklnhst.dat
2009-06-07 16:34 . 2009-02-19 03:21 -------- d-----w- c:\documents and settings\sa\Application Data\McAfee.com Personal Firewall
2009-06-04 22:08 . 2009-01-18 18:17 1024 ----a-w- c:\documents and settings\All Users\Application Data\BVRP Software\Motorola Phone Tools\faxres.cmd
2009-06-02 01:38 . 2009-06-02 01:30 -------- d-----w- c:\program files\Common Files\Knowledge Adventure
2009-06-02 01:33 . 2009-05-28 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Knowledge Adventure
2009-06-02 01:30 . 2009-06-02 01:30 -------- d-----w- c:\program files\JumpStart Spy Masters
2009-05-28 02:12 . 2009-05-28 02:12 -------- d-----w- c:\program files\JumpStart
2009-05-28 01:48 . 2009-05-28 01:30 -------- d-----w- c:\program files\Blaster
2009-05-28 01:07 . 2009-05-07 19:13 -------- d-----w- c:\program files\Disney Interactive
2009-05-28 00:38 . 2009-05-07 19:13 933 ----a-w- c:\windows\EReg515.dat
2009-05-28 00:37 . 2009-05-28 00:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Disney Interactive
2009-05-25 03:20 . 2009-05-25 03:18 -------- d-----w- c:\program files\InterActual
2009-05-22 22:48 . 2009-01-18 04:17 -------- d-----w- c:\program files\Avanquest update
2009-05-22 22:48 . 2009-01-18 18:23 -------- d-----w- c:\program files\Motorola Phone Tools
2009-05-22 19:02 . 2009-02-27 00:07 502 ----a-w- c:\documents and settings\milli\Application Data\wklnhst.dat
2009-05-16 22:35 . 2009-05-14 02:28 25600 ----a-w- c:\windows\system32\drivers\usbsermptxp.sys
2009-05-16 01:18 . 2009-05-14 02:28 9232 ----a-w- c:\documents and settings\milli\mqdmmdfl.sys
2009-05-16 01:18 . 2009-05-14 02:28 92064 ----a-w- c:\documents and settings\milli\mqdmmdm.sys
2009-05-16 01:18 . 2009-05-14 02:28 79328 ----a-w- c:\documents and settings\milli\mqdmserd.sys
2009-05-16 01:18 . 2009-05-14 02:28 66656 ----a-w- c:\documents and settings\milli\mqdmbus.sys
2009-05-16 01:18 . 2009-05-14 02:28 6208 ----a-w- c:\documents and settings\milli\mqdmcmnt.sys
2009-05-16 01:18 . 2009-05-14 02:28 5936 ----a-w- c:\documents and settings\milli\mqdmwhnt.sys
2009-05-16 01:18 . 2009-05-14 02:28 4048 ----a-w- c:\documents and settings\milli\mqdmcr.sys
2009-05-16 01:18 . 2009-05-14 02:28 25600 ----a-w- c:\documents and settings\milli\usbsermptxp.sys
2009-05-16 01:18 . 2009-05-14 02:28 22768 ----a-w- c:\documents and settings\milli\usbsermpt.sys
2009-05-15 23:44 . 2009-05-15 23:44 -------- d-----w- c:\documents and settings\milli\Application Data\Ulead Systems
2009-05-15 23:42 . 2009-05-15 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Ulead Systems
2009-05-15 23:41 . 2009-05-15 23:41 -------- d-----w- c:\program files\Common Files\Ulead Systems
2009-05-15 23:41 . 2009-05-15 23:41 -------- d-----w- c:\program files\Ulead Systems
2009-05-15 22:52 . 2009-05-15 22:52 -------- d-----w- c:\documents and settings\Guest\Application Data\WildTangent
2009-05-07 15:44 . 2008-12-23 21:13 344064 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr
2009-04-29 04:31 . 2006-06-17 09:23 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2008-12-23 21:11 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2006-06-17 09:23 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2008-12-23 21:15 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 03:12 . 2009-04-15 03:12 2134016 ----a-w- c:\windows\system32\python26.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-07_08.43.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-07 19:38 . 2009-07-07 19:38 16384 c:\windows\temp\Perflib_Perfdata_738.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:37 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-21 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"DeskSave"="c:\standalonesoftware\DeskSave8-SavesIconsPositions\DeskSave.exe" [2009-06-22 82944]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-07-06 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-31 169984]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Ulead AutoDetector"="c:\program files\Ulead Systems\Ulead Photo Explorer 8.0 SE\Monitor.exe" [2003-02-28 45056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-12-31 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-19 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-21 185896]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-25 61440]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-04-25 1273856]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-06 1948440]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-04-17 16143872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]

c:\documents and settings\sa\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-4-16 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2008-12-31 2168360]
Install Pending Files.LNK - c:\program files\SIFXINST\SIFXINST.EXE [2008-12-31 729088]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:35 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-06 08:51 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [7/6/2009 4:21 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [7/6/2009 4:21 AM 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/6/2009 4:20 AM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/6/2009 4:20 AM 298776]
R2 WMP300NSvc;WMP300NSvc;c:\program files\Wireless-N PCI Adapter\WLService.exe [7/4/2009 8:51 PM 53307]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S2 gupdate1c9f241b04d102a;Servicio de actualización de Google (gupdate1c9f241b04d102a);c:\program files\Google\Update\GoogleUpdate.exe [6/21/2009 2:57 AM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-07-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-21 07:22]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 07:26]

2009-07-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-21 07:26]

2008-12-31 c:\windows\Tasks\ISP signup reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]

2008-12-31 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2008-12-23 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\sa\Application Data\Mozilla\Firefox\Profiles\9ah900kr.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 15:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2508)
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Wireless-N PCI Adapter\WMP300N.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-07-07 15:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-07 19:48
ComboFix2.txt 2009-07-07 08:46

Pre-Run: 95,998,414,848 bytes free
Post-Run: 95,969,251,328 bytes free

383 --- E O F --- 2009-07-04 20:44

#9
Norma E Guzman
Posted 07 July 2009 - 10:09 PM

    New Member

  • Members
  • Pip
  • 7 posts
I completed the second step by your instructions. I already had CCleaner installed in this machine but I upgraded it and ran the process exactly as specified. I checked the registry and now I see the two keys (without anything beneath) but their names is slightly different, they are written like this:

{BB4C402F-882A-4526-8C08-5127vvv8EA437C1}

I noticed the three vvv's in the middle of their names, Is this normal?

#10
AdvancedSetup
Posted 07 July 2009 - 11:52 PM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
No that is not normal. Yes go ahead and see if you can remove those keys. You might have to check permissions and on the advanced area take back OWNERSHIP for Administrators and then set Everyone to FULL access to delete them.

Then go ahead and update and run a new SAS and MBAM scan and post back the results. The Combofix script did not seem to remove anything so if there is still something there we'll need to run some other tools to track it down.
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.

#11
Norma E Guzman
Posted 09 July 2009 - 03:02 AM

    New Member

  • Members
  • Pip
  • 7 posts
No you are wrong, it did work. I think that the things that the script erased were holding those keys in place, even if the keys didn't disappear in one pass, after the process those two keys lifted right away when I deleted them manually and they didn't come back. One of the keys did still behave a little bad when I clicked on it, it gave me an "error trying to open the key" or something like that but I right mouse clicked it and selected delete and it went away forever. I ran Superantipyware and Malwarebytes at full system scan and the results came back as zero:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/08/2009 at 07:02 PM

Application Version : 4.26.1006

Core Rules Database Version : 3979
Trace Rules Database Version: 1919

Scan type : Complete Scan
Total Scan Time : 00:51:35

Memory items scanned : 826
Memory threats detected : 0
Registry items scanned : 5529
Registry threats detected : 0
File items scanned : 19160
File threats detected : 0

_________________________________

Malwarebytes' Anti-Malware 1.38
Database version: 2397
Windows 5.1.2600 Service Pack 2

7/8/2009 10:35:04 PM
mbam-log-2009-07-08 (22-35-04).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 213301
Time elapsed: 1 hour(s), 54 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Good work. Thanks for your help in removing this one. Don't worry if you see Service Pack 2 up there in one of the logs, when I finish all the maintenance I'm doing to this machine I will have all the OS and software updates in place and I will also recommend to her to buy a good anti virus program like Norton 360 or similar in quality like Nod 32. The machine has AVG at the moment but is because I was using it temporarily. I'll uninstall that one when she gets a better one and I'll install the new one. I will also perform other regular OS checks before giving the machine back to her and I will also do step 3 of your recommendations tonight just in case. Thanks again. I'll tell you later if everything goes well.

#12
AdvancedSetup
Posted 09 July 2009 - 07:55 AM

    Forum Deity

  • Administrators
  • PipPipPipPipPipPip
  • 22,575 posts
  • Gender:Male
  • Location:US
Please run the following to remove any tools that might have been used during the scaning and cleaning of your system.

STEP A
[indent]Uninstall ComboFix.exe
  • Click START then RUN
  • Now type Combofix /u (if you renamed Combofix.exe use that name instead) in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
  • [indent]Posted Image[/indent]
  • When shown the disclaimer, Select "2"
Remove this folder C:\QooBox if the uninstall instructions don't work and delete Combofix.exe AND check your system time and reset if needed[/indent]



Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?


[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

[indent]You should Create a New Restore Point to prevent possible reinfection from an old one.
Some of the malware you picked up could have been saved in System Restore.
Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.
Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • If the shortcut is missing you can also click on START > RUN > and type in %SystemRoot%\system32\restore\rstrui.exe and click OK
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next".
  • Give the new Restore Point a name, then click "Create".
  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use the Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr.exe
  • Select the drive where Windows is installed and click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
  • On the Disk Cleanup tab, if the System Restore: Obsolete Data Stores entry is available remove them also.
  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.
[indent]Posted Image Posted Image[/indent]

Additional information
Microsoft KB article: How to turn off and turn on System Restore in Windows XP
Bert Kinney's site: All about Windows System Restore[/indent]

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install hpHosts
Download it from here
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,
tracking and malicious websites. This prevents your computer from connecting to these untrusted sites
by redirecting them to 127.0.0.1 which is your own local computer.
hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: If you are running Windows XP SP2, you should upgrade to SP3.
Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.
The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.
I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]
Ron Lewis
Manager, Online Support

Posted Image

Follow us: Twitter, Become a fan: Facebook

If you've posted to the HJT forum and it has been over 5 days without a response please send a Private Message asking for assistance.
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us