26 replies to this topic

[Euchrid]

Hi all,

I've tried everything I've read here - MalwareBytes, ComboFix, ATF-Cleaner, SuperAntiSpyware, DrWeb-CureIt, RootRepeal, Avenger, you name it.... - multiple times, safe mode, restarts, full instructions carried out to T, but it is still haunting me. It is a rootkit that makes my search engine links go to advertising sites and the file is clearly identified in the logs below but unable to be removed by anything. MalwareBytes says it can delete one immediately and one on reboot, but it always comes back. I'm running XP inside VirtualBox on my Macbook, with a VPN into my work up and running (Juniper). Here's the logs from MalwareBytes, HijackThis, and Avenger (others available if you need it, but you can see what file it is - have seen a similar one in the last couple of days in this forum). With Avenger I tried entering a simple script to delete the file upon restart, but to no avail. Any help would be greatly appreciated.

Euchrid



Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/15/2009 8:55:04 PM
mbam-log-2009-07-15 (20-54-59).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 13749
Time elapsed: 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll (Trojan.TDSS) -> No action taken.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:19 PM, on 7/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\VBoxService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VBoxTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Growl for Windows\Growl.exe
C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teezcricket.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [VBoxTray] C:\WINDOWS\system32\VBoxTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Growl] C:\Program Files\Growl for Windows\Growl.exe
O4 - HKCU\..\Run: [Gmail Growl] C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c9c1b183ad1450) (gupdate1c9c1b183ad1450) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS\system32\VBoxService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7995 bytes





Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not delete file "c:\Windows\System32\geyekrpjxtedtf.dll"
Deletion of file "c:\Windows\System32\geyekrpjxtedtf.dll" failed!
Status: 0xc0000156


Completed script processing.

*******************

Finished! Terminate.

[AdvancedSetup]

Please disable your Anti-Virus and delete your current copy of Combofix and get a NEW fresh copy and run it. Then post back the log.


[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Euchrid]

Thanks for your assistance. Here are the two logs:

ComboFix 09-07-14.08 - Administrator 07/16/2009 21:51.4.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1540 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-16 01:20 . 2009-07-17 01:41 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Temp
2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Growl
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\Growl for Windows
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\docume~1\ADMINI~1\LOCALS~1\APPLIC~1\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock
2009-06-19 21:37 . 2008-08-21 05:45 138296 ----a-w- c:\windows\system32\drivers\IpSecDrv.sys
2009-06-19 21:37 . 2008-08-21 06:02 90164 ----a-w- c:\windows\system32\cmondll.dll
2009-06-19 21:37 . 2008-08-21 06:02 28726 ----a-w- c:\windows\system32\SnPolicy.dll
2009-06-19 21:37 . 2008-08-21 06:02 233526 ----a-w- c:\windows\system32\IreComn.dll
2009-06-19 21:37 . 2008-01-17 04:35 536634 ------w- c:\windows\system32\drivers\Crypto.sys
2009-06-19 21:37 . 2008-01-14 04:21 159804 ------w- c:\windows\system32\IreBase.dll
2009-06-19 21:37 . 2008-01-14 04:21 90166 ------w- c:\windows\system32\IreSC.dll
2009-06-19 21:37 . 2008-01-14 04:20 344122 ------w- c:\windows\system32\IreCGX.dll
2009-06-19 21:37 . 1997-09-17 16:00 207120 ------r- c:\windows\system32\Msoss.dll
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2008-06-19 09:27 125584 ----a-w- c:\windows\system32\drivers\dne2000.sys
2009-06-19 21:36 . 2008-05-24 05:22 106768 ----a-w- c:\windows\system32\dneinobj.dll
2009-06-19 21:36 . 2000-09-12 11:34 28160 ------r- c:\windows\system32\cstrain.dll
2009-06-19 21:36 . 2000-09-12 11:25 78848 ------r- c:\windows\system32\soedber.dll
2009-06-19 21:36 . 2000-09-12 11:25 46080 ------r- c:\windows\system32\soedapi.dll
2009-06-19 21:36 . 2000-09-12 11:25 16896 ------r- c:\windows\system32\ossdmem.dll
2009-06-19 21:36 . 2000-09-12 11:25 23552 ------r- c:\windows\system32\ossapi.dll
2009-06-19 21:36 . 2008-08-21 06:03 344116 ----a-w- c:\windows\system32\IreMgmt.dll
2009-06-19 21:36 . 2000-09-12 11:25 11264 ------r- c:\windows\system32\soedoid.dll
2009-06-19 21:36 . 2008-01-02 09:48 29184 ----a-w- c:\windows\system32\drivers\vap.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 02:02 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-17 02:02 . 2009-04-20 12:13 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Free Download Manager
2009-07-17 02:00 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-17 02:00 . 2009-05-05 12:21 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\uTorrent
2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 18:14 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-21 16:29 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\docume~1\ADMINI~1\APPLIC~1\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-04-21 03:05 . 2009-04-21 03:05 695642 ----a-w- c:\documents and settings\Administrator\Application Data\UBitMenu\unins000.exe
2009-04-20 13:45 . 2009-04-20 13:45 768 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-06 12:00 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" [2009-01-30 3399727]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-05-05 274224]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-07 1146880]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

c:\docume~1\ADMINI~1\STARTM~1\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-16 22:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)
geyekrpjxtedtf.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3448)
geyekrpjxtedtf.dll 10000000 36864 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\windows\system32\VBoxMRXNP.dll
c:\program files\LClock\LC.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
Completion time: 2009-07-17 22:07
ComboFix-quarantined-files.txt 2009-07-17 02:07
ComboFix2.txt 2009-07-15 06:58

Pre-Run: 1,792,401,408 bytes free
Post-Run: 1,808,146,432 bytes free

351


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:15 PM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\VBoxService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VBoxTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Everything\Everything.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\Growl for Windows\Growl.exe
C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.teezcricket.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O2 - BHO: Hotspot Shield Class - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll
O4 - HKLM\..\Run: [VBoxTray] C:\WINDOWS\system32\VBoxTray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\system32\BELKIN\F5D5050\PostCopy.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Everything] "C:\Program Files\Everything\Everything.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKCU\..\Run: [Growl] C:\Program Files\Growl for Windows\Growl.exe
O4 - HKCU\..\Run: [Gmail Growl] C:\Program Files\Markus Mohnen\Gmail Growl\gmailgrowl.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: NetScreen-Remote.lnk = C:\Program Files\Juniper\NetScreen-Remote\SafeCfg.exe
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Update Service (gupdate1c9c1b183ad1450) (gupdate1c9c1b183ad1450) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: Hotspot Shield Helper Service (HssSrv) - AnchorFree Inc. - C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
O23 - Service: Hotspot Shield Tray Service (HssTrayService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\HssTrayService.EXE
O23 - Service: SafeNet Monitor Service (IPSECMON) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IPSecMon.exe
O23 - Service: SafeNet IKE Service (IreIKE) - SafeNet - C:\Program Files\Juniper\NetScreen-Remote\IreIKE.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: VirtualBox Guest Additions Service (VBoxService) - Sun Microsystems, Inc. - C:\WINDOWS\system32\VBoxService.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7739 bytes

[AdvancedSetup]

You have an infected copy of c:\windows\system32\drivers\tcpip.sys Do you have the Windows XP CD or access to another XP SP3 computer to get one from?

This probably will not work as there appears to be something hiding that we'll need to track down but we can try.

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
File::
c:\windows\system32\geyekrpjxtedtf.dll
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"=-
"uTorrent"=-

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02

Please create a BOOTLOG

• Delete the following file if it exists. C:\Windows\ntbtlog.txt
  
• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
   
  If you're already running inside Windows you can enable it the following way.
   
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  
• NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  
• NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  
• The tab is called BOOT on Vista. Then choose Boot log

STEP 03
Please download the following scanning tool. GMER
[indent]

• Download the randomly named EXE and copy the file to your Desktop. Remember what its name is.
  
• Double click on random named exe file and run it.
  
• It may take a minute to load and become available.
  
• Do not make any changes. Click on the SCAN button and DO NOT use the computer while it's scanning.
  
• Once the scan is done click on the SAVE button and browse to your Desktop and save the file as GMER.LOG
  
• Zip up the GMER.LOG file and save it as gmerlog.zip and attach it to your reply post.
  
• DO NOT directly post this log into a reply. You MUST attach it as a .ZIP file.
  
• Click OK and quit the GMER program.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]

STEP 04
Click on START - RUN and copy/paste the contents of the code box below into the run box and hit OK

CMD /C DRIVERQUERY /FO TABLE /SI >C:\DriversSigned.txt

Click on START - RUN and copy/paste the contents of the code box below into the run box and hit OK

CMD /C driverquery.exe /FO TABLE /v>C:\DriversGeneral.txt

Then ATTACH the files C:\DriversSigned.txt and C:\DriversGeneral.txt to your next reply please.

[Euchrid]

Again, thanks for your help. Here's the latest set of info for you. The driversigned command didn't work - it spat back "ERROR: Provider load failure" so I didn't post the empty text file (I ran it in the cmd window, added the exe, lots of versions - still didn't work).

ComboFix 09-07-14.08 - Administrator 07/17/2009 12:08.5.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1617 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::
"c:\windows\system32\geyekrpjxtedtf.dll"
.

((((((((((((((((((((((((( Files Created from 2009-06-17 to 2009-07-17 )))))))))))))))))))))))))))))))
.

2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-14 18:14 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:37 . 2009-07-08 15:37 -------- d-----w- c:\program files\Growl for Windows
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock
2009-06-19 21:37 . 2008-08-21 05:45 138296 ----a-w- c:\windows\system32\drivers\IpSecDrv.sys
2009-06-19 21:37 . 2008-08-21 06:02 90164 ----a-w- c:\windows\system32\cmondll.dll
2009-06-19 21:37 . 2008-08-21 06:02 28726 ----a-w- c:\windows\system32\SnPolicy.dll
2009-06-19 21:37 . 2008-08-21 06:02 233526 ----a-w- c:\windows\system32\IreComn.dll
2009-06-19 21:37 . 2008-01-17 04:35 536634 ------w- c:\windows\system32\drivers\Crypto.sys
2009-06-19 21:37 . 2008-01-14 04:21 159804 ------w- c:\windows\system32\IreBase.dll
2009-06-19 21:37 . 2008-01-14 04:21 90166 ------w- c:\windows\system32\IreSC.dll
2009-06-19 21:37 . 2008-01-14 04:20 344122 ------w- c:\windows\system32\IreCGX.dll
2009-06-19 21:37 . 1997-09-17 16:00 207120 ------r- c:\windows\system32\Msoss.dll
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2008-06-19 09:27 125584 ----a-w- c:\windows\system32\drivers\dne2000.sys
2009-06-19 21:36 . 2008-05-24 05:22 106768 ----a-w- c:\windows\system32\dneinobj.dll
2009-06-19 21:36 . 2000-09-12 11:34 28160 ------r- c:\windows\system32\cstrain.dll
2009-06-19 21:36 . 2000-09-12 11:25 78848 ------r- c:\windows\system32\soedber.dll
2009-06-19 21:36 . 2000-09-12 11:25 46080 ------r- c:\windows\system32\soedapi.dll
2009-06-19 21:36 . 2000-09-12 11:25 16896 ------r- c:\windows\system32\ossdmem.dll
2009-06-19 21:36 . 2000-09-12 11:25 23552 ------r- c:\windows\system32\ossapi.dll
2009-06-19 21:36 . 2008-08-21 06:03 344116 ----a-w- c:\windows\system32\IreMgmt.dll
2009-06-19 21:36 . 2000-09-12 11:25 11264 ------r- c:\windows\system32\soedoid.dll
2009-06-19 21:36 . 2008-01-02 09:48 29184 ----a-w- c:\windows\system32\drivers\vap.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-17 16:21 . 2009-07-16 01:20 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-17 16:03 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 18:14 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-04-21 03:05 . 2009-04-21 03:05 695642 ----a-w- c:\documents and settings\Administrator\Application Data\UBitMenu\unins000.exe
2009-04-20 13:45 . 2009-04-20 13:45 768 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-06 12:00 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-17 16:21 . 2009-07-17 16:21 16384 c:\windows\temp\Perflib_Perfdata_1a0.dat
+ 2008-05-06 12:00 . 2009-07-17 15:53 66148 c:\windows\system32\perfc009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat
+ 2009-07-14 17:45 . 2009-07-17 15:49 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 17:45 . 2009-07-17 15:49 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 17:45 . 2009-07-17 15:49 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-06 12:00 . 2009-07-17 15:53 428224 c:\windows\system32\perfh009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-07 1146880]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-17 12:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\cscdll.dll

- - - - - - - > 'explorer.exe'(2356)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\LClock\LC.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
c:\windows\system32\VBoxMRXNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\VBoxService.exe
c:\program files\Juniper\NetScreen-Remote\IPSecMon.exe
c:\program files\Juniper\NetScreen-Remote\IreIKE.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
.
**************************************************************************
.
Completion time: 2009-07-17 12:27 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-17 16:27
ComboFix2.txt 2009-07-17 02:07
ComboFix3.txt 2009-07-15 06:58

Pre-Run: 1,793,105,920 bytes free
Post-Run: 1,811,038,208 bytes free

370


Service Pack 3 7 17 2009 12:30:52.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver compbatt.sys
Loaded driver \WINDOWS\system32\DRIVERS\BATTC.SYS
Loaded driver intelide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver VBoxGuest.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdispm.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpvmp.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\vmmouse.sys
Loaded driver \SystemRoot\system32\DRIVERS\VBoxMouse.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\VBoxVideo.sys
Loaded driver \SystemRoot\system32\DRIVERS\pcntpci5.sys
Loaded driver \SystemRoot\system32\drivers\ac97intc.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\CmBatt.sys
Loaded driver \SystemRoot\system32\DRIVERS\dne2000.sys
Loaded driver \SystemRoot\system32\DRIVERS\vap.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\tapvpn.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\mcdbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \systemroot\system32\drivers\geyekrnoqvdksc.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\IPSECDRV.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\System32\Drivers\avgtdix.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Loaded driver \SystemRoot\system32\drivers\VBoxSF.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Did not load driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\System32\Drivers\avgmfx86.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\avgldx86.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ekauio.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Loaded driver \??\C:\WINDOWS\system32\Drivers\Crypto.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\Serial.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

Attached Files

•  gmerlog.zip   1.73K   10 downloads
•  DriversGeneral.txt   30.26K   61 downloads

[AdvancedSetup]

Not going to be able to fix this unless you can get this file replaced with a known good one.
This has to be fixed so we can finish cleaning up.


You have an infected copy of c:\windows\system32\drivers\tcpip.sys Do you have the Windows XP CD or access to another XP SP3 computer to get one from?

[Euchrid]

I replaced the TCPIP.SYS file (using expand D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS), ran MalwareBytes, and it seems like the problem is gone! Search engines working fine, thanks!! Could I ask, which part of the logs identified the TCPIP.SYS file was the infected one?

Lennox

Log below (it deleted avenger.exe upon restart - funny it didn't pick it up earlier though....):

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/17/2009 11:18:36 PM
mbam-log-2009-07-17 (23-18-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130255
Time elapsed: 21 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\administrator\Desktop\avenger.exe (Trojan.Agent) -> No action taken.

[AdvancedSetup]

Combofix said it was. Please run Combofix again and post back the log again so that I can review it to make sure we're about done.

[AdvancedSetup]

Please post a status update on this.

Thanks.

[Euchrid]

Apologies - out of range for a couple of days. Here is the latest Combofix log (upgraded to the latest Combofix) - seems like the file is still there.

ComboFix 09-07-20.05 - Administrator 07/21/2009 12:17.6.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1646 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows
2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock
2009-07-16 01:20 . 2009-07-21 15:07 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 17:40 . 2009-07-14 17:59 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-15 02:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-15 03:41 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-17 16:03 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-15 19:18 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-21 16:16 . 2009-07-21 16:16 16384 c:\windows\temp\Perflib_Perfdata_3d0.dat
+ 2008-05-06 12:00 . 2009-07-21 16:20 66148 c:\windows\system32\perfc009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat
+ 2009-07-14 17:45 . 2009-07-21 16:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 17:45 . 2009-07-21 16:15 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 17:45 . 2009-07-21 16:15 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe
+ 2008-05-06 12:00 . 2009-07-21 16:20 428224 c:\windows\system32\perfh009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat
+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-30 148888]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 12:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-21 12:38
ComboFix-quarantined-files.txt 2009-07-21 16:38
ComboFix2.txt 2009-07-17 16:27
ComboFix3.txt 2009-07-17 02:07
ComboFix4.txt 2009-07-15 06:58

Pre-Run: 1,785,806,848 bytes free
Post-Run: 1,788,710,912 bytes free

332

[Euchrid]

Have run Combofix again from XP Safe Mode with the script from before, restarted the machine then ran MalwareBytes again. Seems like the file is gone, as is tcpip.sys. Missing tcpip.sys doesn't seem to be making any difference to my machine, which may be because it is running inside of VirtualBox. Here are the logs:

ComboFix 09-07-21.01 - Administrator 07/21/2009 21:55.7.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1643 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::
"c:\windows\system32\geyekrpjxtedtf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tcpip.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-22 to 2009-07-22 )))))))))))))))))))))))))))))))
.

2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows
2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock
2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-21 23:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-22 00:06 327968 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-22 00:13 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-07-21 23:22 . 2009-04-20 13:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-17 16:03 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-04-23 04:47 . 2009-06-04 06:17 28672 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-22 01:54 . 2009-07-22 01:54 16384 c:\windows\temp\Perflib_Perfdata_238.dat
+ 2008-05-06 12:00 . 2009-07-22 01:58 66148 c:\windows\system32\perfc009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat
+ 2009-07-14 17:45 . 2009-07-22 01:53 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 17:45 . 2009-07-22 01:53 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 17:45 . 2009-07-22 01:53 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe
+ 2008-05-06 12:00 . 2009-07-22 01:58 428224 c:\windows\system32\perfh009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat
+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 22:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-22 22:12
ComboFix-quarantined-files.txt 2009-07-22 02:12
ComboFix2.txt 2009-07-21 16:38
ComboFix3.txt 2009-07-17 16:27
ComboFix4.txt 2009-07-17 02:07
ComboFix5.txt 2009-07-22 01:49

Pre-Run: 1,576,513,536 bytes free
Post-Run: 1,582,829,568 bytes free

338




Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/21/2009 11:58:44 PM
mbam-log-2009-07-21 (23-58-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130464
Time elapsed: 16 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Euchrid]

Still getting search redirections............ grrrrrrrr

[AdvancedSetup]

Yes, you're still infected. Quite late here, I'll try and provide you with some cleanup routines tomorrow.

[AdvancedSetup]

Well first and foremost you need to delete this file and get a GOOD CLEAN copy of it from CD or another Clean XP computer
c:\windows\system32\drivers\tcpip.sys
We are spinning our wheels and we will not be able to clean the computer properly until this file is replaced with a clean version.

STEP 01
Download but do not yet run ComboFix
If you have a previous version of Combofix.exe, delete it and download a fresh copy.
Download it to your DESKTOP - it MUST run from the Desktop
download.bleepingcomputer.com/sUBs/ComboFix.exe
subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::
Driver::
geyekrpjxtedtf
File::
c:\windows\system32\geyekrpjxtedtf.dll

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

STEP 02
Please download and run these tools which are designed to restore some standard policy settings. They are not harmful.

VArestorepolicies.INF

• Download this INF repair file from here: VArestorepolicies.zip by MS-MVP Miekiemoes
  
• Unzip or open the file VArestorepolicies.zip
  
• Open the folder VArestorepolicies and Right-click the file inside, VArestorepolicies.INF and choose Install

FixPolicies.exe

• Download this self-extracting ZIP archive from here: FixPolicies.exe by MS-MVP Bill Castner and save it to your desktop.
  
• Double-click FixPolicies.exe
  
• Click the "Install" button on the bottom toolbar of the box that will open
  
• The program will create a new Folder called FixPolicies
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd
  
• A black box will briefly appear and then close
  
• These fixes may prove temporary. Active malware may revert these changes on your next startup. You can safely run these utilities again.

[Euchrid]

All done, exactly as posted. Here is the Combofix log:

ComboFix 09-07-22.07 - Administrator 07/23/2009 10:40.8.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1644 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt

FILE ::
"c:\windows\system32\geyekrpjxtedtf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\tcpip.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-23 to 2009-07-23 )))))))))))))))))))))))))))))))
.

2009-07-23 14:19 . 2008-05-05 18:38 361344 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-07-22 22:06 . 2008-05-05 18:38 361344 ----a-w- C:\tcpip.sys
2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows
2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock
2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-23 02:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-23 02:22 344560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 14:32 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-07-23 14:32 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-23 02:30 . 2009-04-20 13:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-23 14:38 . 2009-07-23 14:38 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat
+ 2008-05-06 12:00 . 2009-07-23 14:43 66148 c:\windows\system32\perfc009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat
+ 2009-07-14 17:45 . 2009-07-23 14:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 17:45 . 2009-07-23 14:37 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 17:45 . 2009-07-23 14:37 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe
+ 2008-05-06 12:00 . 2009-07-23 14:43 428224 c:\windows\system32\perfh009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat
+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-23 10:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-23 10:55
ComboFix-quarantined-files.txt 2009-07-23 14:55
ComboFix2.txt 2009-07-22 02:12
ComboFix3.txt 2009-07-21 16:38
ComboFix4.txt 2009-07-17 16:27
ComboFix5.txt 2009-07-23 14:33

Pre-Run: 1,567,268,864 bytes free
Post-Run: 1,571,405,824 bytes free

339

[AdvancedSetup]

Okay well at this point unless you can obtain the Windows XP CD or a copy of the TCPIP.SYS file from a clean system we cannot repair your computer. All versions of it on your system must be located and deleted. Then a CLEAN copy put back in its place.

Once you have the XP CD and you need help locating and replacing these files please let me know.

[Euchrid]

I've done that every time you've asked me to. Will I do it again?

[AdvancedSetup]

Maybe miscommunication as it did not appear that you were replacing it.

You may have the Windows File Protection kicking in and replacing files. Please try the following.

STEP 01
Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.
* Double-click on the My Computer icon.
* Select the Tools menu and click Folder Options.
* After the new window appears select the View tab.
* Put a checkmark in the checkbox labeled Display the contents of system folders.
* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
* Remove the checkmark from the checkbox labeled Hide protected operating system files.
* Press the Apply button and then the OK button and exit My Computer.
* Now your computer is configured to show all hidden files.

STEP 02
Visit these sites on what File Protection is and how to disable it temporarily and then disable it.
http://support.microsoft.com/kb/222193
http://en.wikipedia....File_Protection
http://www.pctools.c...try/detail/790/

STEP 03
AFTER File Protection is disabled run the following
Click on START - RUN and Copy/Paste this into the run line and click OK

cmd /c ATTRIB -R -A -S -H /S TCPIP.SYS

Click on START - RUN and Copy/Paste this into the run line and click OK

cmd /c DEL /S TCPIP.SYS

This should delete ALL copies of TCPIP.SYS from the system.

STEP 04
Now restart the computer and once it starts back up do a search (including hidden and system files) for TCPIP.SYS and it should NOT find any copies of it.
The place the Windows XP CD into the CD drive and expand the TCPIP.SY_ to c:\windows\system32\drivers\tcpip.sys
Then restart the computer again.

How to expand Windows XP files from the installation disk
http://support.microsoft.com/kb/888017

STEP 05
Delete your current copy of Combofix.exe and download a NEW fresh copy and run it and post back the NEW log please.

Thanks.

[Euchrid]

All done again, exactly as requested. Log:

ComboFix 09-07-24.01 - Administrator 07/25/2009 13:26.9.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1638 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix-1.exe
.

((((((((((((((((((((((((( Files Created from 2009-06-25 to 2009-07-25 )))))))))))))))))))))))))))))))
.

2009-07-25 17:11 . 2008-05-05 18:38 361344 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-07-18 02:33 . 2009-07-18 02:33 -------- d-----w- c:\program files\Growl for Windows
2009-07-17 16:21 . 2009-07-17 16:21 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Stardock
2009-07-16 01:20 . 2009-07-22 00:08 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-16 01:03 . 2009-07-16 01:03 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-07-15 04:41 . 2009-07-15 04:41 -------- d-----w- c:\documents and settings\Administrator\DoctorWeb
2009-07-15 03:50 . 2009-07-15 03:50 -------- d-----w- c:\program files\Trend Micro
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\windows\Sun
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\wbem\snmp
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\oobe
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\srchasst
2009-07-15 01:26 . 2009-07-15 01:26 -------- d-----w- c:\windows\system32\xircom
2009-07-15 01:25 . 2009-07-15 01:25 -------- d-----w- c:\program files\microsoft frontpage
2009-07-14 23:02 . 2009-07-14 23:02 0 ----a-w- c:\windows\system32\cd.dat
2009-07-14 18:14 . 2009-07-18 03:15 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2009-07-14 17:40 . 2009-07-21 17:55 -------- d--h--w- C:\$AVG8.VAULT$
2009-07-10 14:56 . 2009-07-10 14:56 195472 ----a-w- c:\windows\system32\drivers\VBoxSF.sys
2009-07-10 14:55 . 2009-07-10 14:55 1059344 ----a-w- c:\windows\system32\VBoxService.exe
2009-07-10 14:55 . 2009-07-10 14:55 588304 ----a-w- c:\windows\system32\VBoxOGLfeedbackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 1346064 ----a-w- c:\windows\system32\VBoxOGLpackspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 109072 ----a-w- c:\windows\system32\VBoxOGLpassthroughspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 432656 ----a-w- c:\windows\system32\VBoxOGLarrayspu.dll
2009-07-10 14:55 . 2009-07-10 14:55 305680 ----a-w- c:\windows\system32\VBoxOGL.dll
2009-07-10 14:55 . 2009-07-10 14:55 65552 ----a-w- c:\windows\system32\VBoxHook.dll
2009-07-10 14:55 . 2009-07-10 14:55 645648 ----a-w- c:\windows\system32\VBoxGINA.dll
2009-07-10 14:54 . 2009-07-10 14:54 145936 ----a-w- c:\windows\system32\VBoxOGLerrorspu.dll
2009-07-10 14:54 . 2009-07-10 14:54 203280 ----a-w- c:\windows\system32\VBoxOGLcrutil.dll
2009-07-08 15:44 . 2009-07-08 15:44 -------- d-----w- c:\program files\Markus Mohnen
2009-07-08 15:38 . 2009-07-08 15:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Growl
2009-07-08 15:02 . 2009-07-08 15:02 -------- d-----w- c:\program files\SopCast
2009-07-08 14:49 . 2009-07-08 14:50 -------- d-----w- c:\program files\TVAnts
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\LocalLow
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\TVU Networks
2009-07-08 14:43 . 2009-07-08 14:43 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\TVU Networks
2009-07-07 23:48 . 2009-07-07 02:44 937984 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-07 23:48 . 2009-07-07 02:44 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-07 23:48 . 2009-07-07 02:44 65536 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-07 23:48 . 2009-07-07 02:44 106496 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
2009-07-07 23:48 . 2009-07-07 02:44 4722688 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-07 23:48 . 2009-07-07 02:44 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 22:37 . 2009-07-03 22:39 -------- d-----w- c:\documents and settings\Administrator\Ekahau Site Survey
2009-07-03 22:35 . 2009-07-03 22:54 -------- d-----w- c:\program files\Ekahau
2009-07-01 04:08 . 2009-07-23 02:25 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Phanfare2
2009-07-01 04:08 . 2009-06-29 18:23 172032 ----a-w- c:\windows\system32\Phanfare Screensaver.scr
2009-07-01 04:08 . 2009-06-29 18:22 323624 ----a-w- c:\windows\system32\wiaaut.dll
2009-07-01 04:07 . 2009-07-23 02:22 344560 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-07-01 04:02 . 2009-07-01 04:02 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-01 04:00 . 2009-07-01 04:00 -------- d-----w- c:\program files\Reference Assemblies
2009-07-01 03:58 . 2006-06-29 17:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-07-01 03:57 . 2006-06-29 17:07 22752 ----a-w- c:\windows\system32\spupdsvc.exe
2009-07-01 03:03 . 2009-07-01 03:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Desktopicon
2009-07-01 03:01 . 2009-07-01 03:02 -------- d-----w- c:\program files\FormatFactory
2009-06-30 23:54 . 2009-05-07 12:23 63488 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2009-06-30 21:27 . 2009-06-30 21:27 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-30 21:27 . 2009-06-30 21:27 -------- d-----w- c:\program files\Java
2009-06-30 21:25 . 2009-06-30 21:25 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-30 02:25 . 2009-07-03 22:38 57164 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-28 06:36 . 2009-06-28 06:36 -------- d-----w- c:\program files\AnyBizSoft
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stardock
2009-06-28 06:31 . 2009-06-28 06:31 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{067CEB81-A49B-4597-9505-A5515881D672}
2009-06-28 06:31 . 2009-06-28 06:31 -------- d-----w- c:\program files\Stardock

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-23 14:32 . 2009-04-20 12:11 -------- d-----w- c:\program files\Everything
2009-07-23 14:32 . 2009-04-20 12:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Free Download Manager
2009-07-23 02:30 . 2009-04-20 13:43 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-18 03:15 . 2009-04-20 12:13 -------- d-----w- c:\program files\Google
2009-07-17 16:03 . 2009-05-05 12:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-15 01:03 . 2009-04-20 12:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 17:36 . 2009-04-20 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-04-20 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-10 14:56 . 2008-11-21 18:30 84496 ----a-w- c:\windows\system32\vbcoinst.dll
2009-07-10 14:56 . 2008-11-21 18:30 641552 ----a-w- c:\windows\system32\VBoxControl.exe
2009-07-10 14:56 . 2008-11-21 18:30 39376 ----a-w- c:\windows\system32\drivers\VBoxGuest.sys
2009-07-10 14:56 . 2008-11-21 18:30 1026576 ----a-w- c:\windows\system32\VBoxTray.exe
2009-07-10 14:56 . 2008-11-21 18:30 63632 ----a-w- c:\windows\system32\VBoxDisp.dll
2009-07-10 14:56 . 2008-11-21 18:30 57872 ----a-w- c:\windows\system32\drivers\VBoxVideo.sys
2009-07-10 14:56 . 2008-11-21 18:29 39888 ----a-w- c:\windows\system32\drivers\VBoxMouse.sys
2009-07-10 14:55 . 2008-11-21 18:28 645648 ----a-w- c:\windows\system32\VBoxMRXNP.dll
2009-07-01 04:26 . 2009-04-16 10:32 70400 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-07-01 04:07 . 2009-04-16 07:10 -------- d-----w- c:\program files\MSBuild
2009-06-26 04:13 . 2009-05-30 16:24 -------- d-----w- c:\program files\Digsby
2009-06-26 04:00 . 2009-04-20 12:05 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-26 04:00 . 2009-04-20 12:05 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-26 04:00 . 2009-04-20 12:05 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2009-06-19 21:36 . 2009-06-19 21:36 -------- d-----w- c:\program files\Juniper
2009-06-19 21:35 . 2009-06-19 21:35 -------- d-----w- c:\program files\Common Files\InstallShield
2009-06-11 06:29 . 2009-06-11 06:29 -------- d-----w- c:\program files\Common Files\Blackbaud
2009-06-11 06:27 . 2009-06-11 06:27 -------- d-----w- c:\program files\Blackbaud
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Common Files\Business Objects
2009-06-11 05:16 . 2009-06-11 05:16 -------- d-----w- c:\program files\Business Objects
2009-06-11 05:14 . 2009-06-11 05:14 -------- d-----w- c:\program files\MSXML 4.0
2009-06-01 14:36 . 2009-06-04 06:17 3184128 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\SSS.dll
2009-05-30 18:27 . 2009-05-30 18:27 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Digsby
2009-05-30 16:45 . 2009-05-30 16:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\Digsby
2009-05-08 02:55 . 2009-04-20 12:05 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2009-06-24 13:26 . 2009-04-16 09:47 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-05-05 20:14 . 2008-12-01 20:22 34048 ----a-w- c:\program files\opera\program\plugins\upd62i9x.dll
2008-05-05 20:14 . 2008-12-01 20:22 45056 ----a-w- c:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-05-05 18:38 361344 ACCF5A9A1FFAA490F33DBA1C632B95E1 c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((( SnapShot@2009-07-17_02.02.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-25 17:24 . 2009-07-25 17:24 16384 c:\windows\temp\Perflib_Perfdata_1f0.dat
+ 2008-05-06 12:00 . 2009-07-25 17:29 66148 c:\windows\system32\perfc009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 66148 c:\windows\system32\perfc009.dat
+ 2009-07-14 17:45 . 2009-07-25 17:24 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 17:45 . 2009-07-25 17:24 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-07-14 17:45 . 2009-07-17 01:40 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-14 17:45 . 2009-07-25 17:24 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-07-18 03:15 . 2009-07-18 03:15 47104 c:\windows\Installer\2c856f.msi
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_D679D4221C9B860547047F.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_C7AC1C9AA4412B85789A75.exe
+ 2009-07-18 02:33 . 2009-07-18 02:33 9662 c:\windows\Installer\{8870D0D8-4427-49BC-A0E7-ABAE34227983}\_6FEFF9B68218417F98F549.exe
+ 2008-05-06 12:00 . 2009-07-25 17:29 428224 c:\windows\system32\perfh009.dat
- 2008-05-06 12:00 . 2009-07-17 01:44 428224 c:\windows\system32\perfh009.dat
+ 2009-07-18 02:33 . 2009-07-18 02:33 424960 c:\windows\Installer\5a6a3.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-08 04:46 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.7\MoeMonitor.exe" [2009-07-03 1315152]
"LClock"="c:\program files\LClock\LClock.exe" [2004-09-19 65536]
"Growl"="c:\program files\Growl for Windows\Growl.exe" [2009-07-17 1171456]
"Gmail Growl"="c:\program files\Markus Mohnen\Gmail Growl\gmailgrowl.exe" [2009-06-04 900489]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VBoxTray"="c:\windows\system32\VBoxTray.exe" [2009-07-10 1026576]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"PostCopy"="c:\windows\system32\BELKIN\F5D5050\PostCopy.exe" [2001-07-25 20480]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-26 1948440]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
MagicDisc.lnk - c:\program files\MagicDisc\MagicDisc.exe [2009-4-16 534016]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
NetScreen-Remote.lnk - c:\program files\Juniper\NetScreen-Remote\SafeCfg.exe [2009-6-19 77876]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-07-03 19:41 21840 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-26 04:00 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"e:\\Program Files\\Phanfare\\Phanfare.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\Juniper\\NetScreen-Remote\\IreIKE.exe"=
"c:\program files\Juniper\NetScreen-Remote\ViewLog.exe"= c:\program files\Juniper\NetScreen-Remote\ViewLog.exe:127.0.0.1/255.255.255.255:Enabled:ViewLog
"c:\program files\Juniper\NetScreen-Remote\CmonApp.exe"= c:\program files\Juniper\NetScreen-Remote\CmonApp.exe:127.0.0.1/255.255.255.255:Enabled:CMonApp
"c:\program files\Juniper\NetScreen-Remote\vpn.exe"= c:\program files\Juniper\NetScreen-Remote\vpn.exe:127.0.0.1/255.255.255.255:Enabled:VPN Connection Manager

R0 VBoxGuest;VirtualBox Guest Driver;c:\windows\system32\drivers\VBoxGuest.sys [11/21/2008 2:30 PM 39376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/20/2009 8:05 AM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/20/2009 8:05 AM 108552]
R1 IPSECDRV;SafeNet IPSec Plugin;c:\windows\system32\drivers\IpSecDrv.sys [6/19/2009 5:37 PM 138296]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 11:01 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 11:01 AM 72944]
R1 VBoxSF;VirtualBox Shared Folders;c:\windows\system32\drivers\VBoxSF.sys [7/10/2009 10:56 AM 195472]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [4/20/2009 8:05 AM 298776]
R2 Crypto;Crypto;c:\windows\system32\drivers\Crypto.sys [6/19/2009 5:37 PM 536634]
R2 Ekauio;Ekahau NDIS Usermode I/O Protocol;c:\windows\system32\drivers\ekauio.sys [4/7/2009 8:45 AM 12416]
R2 HssSrv;Hotspot Shield Helper Service;c:\program files\Hotspot Shield\HssWPR\hsssrv.exe [4/21/2009 9:12 PM 328752]
R2 VBoxService;VirtualBox Guest Additions Service;system32\VBoxService.exe --> system32\VBoxService.exe [?]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [4/16/2009 6:24 AM 44880]
R3 DniVap;SafeNet WAN Miniport (VA);c:\windows\system32\drivers\vap.sys [6/19/2009 5:36 PM 29184]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [4/16/2009 6:24 AM 9024]
R3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [4/16/2009 6:24 AM 19392]
R3 VBoxMouse;VirtualBox Guest Mouse Service;c:\windows\system32\drivers\VBoxMouse.sys [11/21/2008 2:29 PM 39888]
R3 VBoxVideo;VBoxVideo;c:\windows\system32\drivers\VBoxVideo.sys [11/21/2008 2:30 PM 57872]
R3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [12/1/2008 4:09 PM 11568]
S2 gupdate1c9c1b183ad1450;Google Update Service (gupdate1c9c1b183ad1450);c:\program files\Google\Update\GoogleUpdate.exe [4/20/2009 8:14 AM 133104]
S3 HssTrayService;Hotspot Shield Tray Service;c:\program files\Hotspot Shield\bin\HssTrayService.exe [4/22/2009 5:34 PM 34352]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 11:01 AM 7408]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [12/1/2008 4:09 PM 29488]
S4 zlportio;zlportio;\??\g:\zlportio.sys --> g:\zlportio.sys [?]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.teezcricket.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\2epl54kr.Donny\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://ebiss/default.aspx|http://studywiz.biss.com.cn/|https://ibis.ibo.org/index.cfm|https://web4.ibo.org/ibnet/|http://online.ibo.org/ibis/occ/guest/home.cfm|http://docs.google.com/#not-in-folders|https://secure.members.easynews.com/global4/search.html?fly=1|http://www.abc.net.au/news/|http://www.google.com/reader/shared/10493336563511901340|http://www.newser.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\2epl54kr.Donny\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-25 13:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1220)
geyekrpjxtedtf.dll 10000000 32768 \\?\globalroot\systemroot\system32\geyekrpjxtedtf.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-07-25 13:40
ComboFix-quarantined-files.txt 2009-07-25 17:40
ComboFix2.txt 2009-07-23 14:55
ComboFix3.txt 2009-07-22 02:12
ComboFix4.txt 2009-07-21 16:38
ComboFix5.txt 2009-07-25 17:20

Pre-Run: 1,560,051,712 bytes free
Post-Run: 1,562,075,136 bytes free

331

[AdvancedSetup]

I aplogize for the delay but circumstances beyond my control have prevented me from responding.
You're best bet at this time is to start a NEW post and reference this current post so that someone else can assist you.
I will be out of town for the next week and probably will not have access to assist you with this.