[billpete]

Seems as I have caught a virus or some kind of malware on my PC. It runs pretty slow and when I try to search something on google it'll just be a white blank page, but you can still scroll up and down, it will also redirect me to an ad site by opening a new tab when I try to click on a link. The only way you can actually get to a website is if you put it in the actual address bar. Below is a HijackThis log that I did.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:01:43 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {C1961015-9A50-4EF4-9DD4-0EA2D3E14282} - c:\windows\system32\qbrlfys.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1234344587984
O20 - Winlogon Notify: smhkiyzp - C:\WINDOWS\SYSTEM32\qbrlfys.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 4572 bytes

[Advertisements]

Hello billpete !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
HJT:

Scan your computer with HijackThis and post the fresh HJT-log in your reply.

Step 3.
Lop S&D:

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here and save it to the desktop

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Step 4.
Things I would like to see in your reply:

• The content of C:\ComboFix.txt from step 1.
• The content of the fresh HJT-log from step 2.
• The content of C:\lopR.txt from step 3.
• The content of C:\Qoobox\Add-Remove Programs.txt

[heir]

Hello billpete !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Step 1.
ComboFix:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Step 2.
HJT:

Scan your computer with HijackThis and post the fresh HJT-log in your reply.

Step 3.
Lop S&D:

Disable resident protections (Antivirus...); you'll re-enable them after the scan

Download Lop S&D < here and save it to the desktop

Double-click Lop S&D.exe
Choose the language, then choose Option 1 (Search)
Wait till the end of the scan
Post the log which is created: (%SystemDrive%\lopR.txt)

Step 4.
Things I would like to see in your reply:

• The content of C:\ComboFix.txt from step 1.
• The content of the fresh HJT-log from step 2.
• The content of C:\lopR.txt from step 3.
• The content of C:\Qoobox\Add-Remove Programs.txt

[billpete]

Well it seems for some reason combofix will not run, when I double click it, it'll show the hour glass but then it will go away and nothing happens. It shows up in the processes window of Task Manager as well but it will not load the program itself.

Edited by billpete, 05 April 2009 - 02:49 PM.

[heir]

When running ComboFix do it like this:

Delete ComboFix.exe from your desktop

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt

If it runs proceed with the other steps, else just let me know.

Edited by heir, 05 April 2009 - 03:10 PM.

[billpete]

Alrighty awesome it worked that time. Below is the Combofix, HijackTHIS, and LOP S&D logs you requested.


COMBOFIX LOG:

ComboFix 09-04-04.01 - Compaq_Owner 2009-04-05 19:38:51.14 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.631 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\sysguard.exe
c:\windows\system32\drivers\UACokwmafty.sys
c:\windows\system32\iehelper.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\lowsec\user.ds.lll
c:\windows\system32\qbrlfys.dll
c:\windows\system32\sdra64.exe
c:\windows\system32\UACcoessqjm.dll
c:\windows\system32\UACfnsxtqmt.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjaraeoeb.dll
c:\windows\system32\UACndcesurd.dll
c:\windows\system32\UACnkoyhaea.dll
c:\windows\system32\UACpagtkuln.log
c:\windows\system32\UACpyovlbgd.dat
c:\windows\system32\UACsvlbswmw.log
c:\windows\system32\UACuoykjgws.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_DUHMUGGU
-------\Service_duhmuggu
-------\Legacy_DUHMUGGU
-------\Service_duhmuggu


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-05 17:57 . 2009-04-05 17:57 <DIR> d-------- c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\cqafderf
2009-04-05 16:46 . 2009-04-05 16:46 <DIR> d-------- C:\Lop SD
2009-04-04 16:24 . 2009-04-04 16:24 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\cqafderf
2009-04-01 02:34 . 2006-05-20 02:46 <DIR> d-------- c:\documents and settings\Administrator.COMPAQMEDIA\WINDOWS
2009-04-01 02:34 . 2009-04-01 02:34 <DIR> d-------- c:\documents and settings\Administrator.COMPAQMEDIA
2009-03-11 14:12 . 2009-03-11 14:12 <DIR> d-------- c:\program files\HydraIRC
2009-03-11 14:08 . 2009-04-01 17:01 <DIR> d-------- C:\wIRC
2009-03-11 14:08 . 2009-03-11 16:36 <DIR> d-------- c:\program files\abgx360
2009-03-10 18:17 . 2009-03-10 18:18 <DIR> d-------- c:\program files\TurboFTP
2009-03-10 18:17 . 2009-03-10 18:18 <DIR> d-------- c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\TurboFTP
2009-03-10 18:17 . 2009-03-10 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TurboFTP
2009-03-07 03:03 . 2009-03-07 03:03 742,770 --a------ c:\windows\system32\abgx360.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 23:25 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\uTorrent
2009-04-05 03:22 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\FrostWire
2009-03-29 22:24 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-25 20:48 --------- d-----w c:\program files\AskBarDis
2009-03-24 01:50 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\dvdcss
2009-03-16 03:02 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\DivX
2009-03-14 09:24 --------- d-----w c:\program files\FrostWire
2009-03-10 22:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 08:33 --------- d-----w c:\program files\Windows Desktop Search
2009-02-26 06:20 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Sony
2009-02-26 06:19 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Publish Providers
2009-02-26 06:18 --------- d-----w c:\program files\Sony
2009-02-26 06:17 --------- d-----w c:\program files\Microsoft.NET
2009-02-26 06:17 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-26 06:16 --------- d-----w c:\program files\MSXML 6.0
2009-02-26 06:12 --------- d-----w c:\program files\Sony Setup
2009-02-26 06:09 --------- d-----w c:\program files\Vstplugins
2009-02-26 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-02-26 05:21 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Sony Setup
2009-02-26 04:37 --------- d-----w c:\documents and settings\LocalService\Application Data\CyberLink
2009-02-26 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-26 04:05 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\CyberLink
2009-02-26 04:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 04:03 --------- d-----w c:\program files\CyberLink
2009-02-26 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-02-26 04:00 --------- d-----w c:\program files\SmartSound Software
2009-02-19 08:26 --------- d-----w c:\program files\Opera
2009-02-15 04:13 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\AdobeUM
2009-02-15 04:04 --------- d-----w c:\program files\AIM
2009-02-15 00:16 --------- d-----w c:\program files\iTunes
2009-02-14 22:58 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Aim
2009-02-14 22:43 --------- d-----w c:\program files\AIM+
2009-02-14 09:04 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Malwarebytes
2009-02-14 09:04 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 07:42 --------- d-----w c:\program files\Trend Micro
2009-02-14 01:27 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Apple Computer
2009-02-13 06:12 --------- d-----w c:\program files\Yahoo!
2009-02-13 03:29 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\.purple
2009-02-11 11:39 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Nero
2009-02-11 11:34 --------- d-----w c:\program files\Common Files\Nero
2009-02-11 11:21 --------- d-----w c:\program files\Nero
2009-02-11 11:19 --------- d-----w c:\program files\Windows Sidebar
2009-02-11 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-02-11 08:45 --------- d-----w c:\program files\ICQ6.5
2009-02-11 08:45 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-11 08:40 --------- d-----w c:\program files\PowerISO
2009-02-11 08:34 --------- d-----w c:\program files\HP
2009-02-11 08:34 --------- d-----w c:\program files\Hewlett-Packard
2009-02-11 08:28 --------- d-----w c:\program files\Microsoft Works
2009-02-11 08:19 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Yahoo!
2009-02-11 08:16 --------- d-----w c:\program files\DivX
2009-02-11 08:14 --------- d-----w c:\program files\QuickTime
2009-02-11 08:12 --------- d-----w c:\program files\MagicISO
2009-02-11 08:11 --------- d-----w c:\program files\Winamp
2009-02-11 08:10 --------- d-----w c:\program files\Winamp Remote
2009-02-11 08:00 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\vlc
2009-02-11 07:59 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\ICQ
2009-02-11 07:31 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\X-Chat 2
2009-02-11 07:26 1,965 --sha-r c:\windows\system32\drivers\103C_HP_CPC_EX321AA-ABA SR1930NX NA630_YC_0Pres_QCNH621_E63NAheREA2_48_IAltair_SASUSTeK Computer INC._V1.00_B3.03_T060519_WXH2_L409_M959_J200_7Intel_8Pentium 4_93.07_#070814_N10EC8139_Z14F12F20_G10025A61.MRK
2009-02-11 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-05 04:23 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2007-12-12 01:26 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-09-08 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 180269]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2009-02-15 00:04 67112 c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 15:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-12-17 09:36 172792 c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2009-02-04 17:57 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-03-31 21:54 507904 c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 04:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-12 17:21 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-20 02:30 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\At1.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At10.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At11.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At12.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At13.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At14.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At15.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At16.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At17.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At18.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At19.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At2.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At20.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At21.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At22.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At23.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At24.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At25.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At26.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At27.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At28.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At29.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At3.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At30.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At31.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At32.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At33.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At34.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At35.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At36.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At37.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At38.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At39.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At4.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At40.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At41.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At42.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At43.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At44.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At45.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At46.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At47.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At48.job
- c:\windows\system32\6l0Wf2rh.exe []

2009-04-05 c:\windows\Tasks\At49.job
- c:\windows\system32\qbrlfys.dll []

2009-04-05 c:\windows\Tasks\At5.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At6.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At7.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At8.job
- ?:\2 []

2009-04-05 c:\windows\Tasks\At8.job
- c:\windows\system32\q37SRk5a.exe []

2009-04-05 c:\windows\Tasks\At9.job
- c:\windows\system32\q37SRk5a.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{C1961015-9A50-4EF4-9DD4-0EA2D3E14282} - c:\windows\system32\qbrlfys.dll
HKCU-Run-system tool - c:\windows\sysguard.exe


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 19:44:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-983352657-3560731182-2007119311-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-983352657-3560731182-2007119311-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{988DF640-7566-F1B8-8014-8008F1564F95}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jahjoafjikmbknpfbmnl"=hex:6a,61,64,70,69,68,6a,6c,68,6c,63,65,61,70,6b,6a,63,
6a,6e,6f,00,f2
"iabjanjnllamdkllcj"=hex:6a,61,64,70,69,68,6a,6c,68,6c,63,65,61,70,6b,6a,63,6a,
6e,6f,00,f2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
c:\program files\Java\jre1.5.0_05\bin\jusched.exe
c:\program files\Java\jre1.5.0_05\bin\jucheck.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-05 19:48:48 - machine was rebooted [Compaq_Owner]
ComboFix-quarantined-files.txt 2009-04-05 23:48:45

Pre-Run: 965,296,128 bytes free
Post-Run: 950,763,520 bytes free

337 --- E O F --- 2009-03-14 07:01:23


HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:33 PM, on 4/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\wuauclt.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1234344587984
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 4084 bytes


LOP S&D LOG:


--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Home Edition ( v5.1.2600 ) Service Pack 3
X86-based PC ( Multiprocessor Free : Intel® Pentium® 4 CPU 3.06GHz )
BIOS : Phoenix - AwardBIOS v6.00PG
USER : Compaq_Owner ( Administrator )
BOOT : Normal boot
C:\ (Local Disk) - NTFS - Total:179 Go (Free:0 Go)
D:\ (Local Disk) - NTFS - Total:149 Go (Free:11 Go)
E:\ (Local Disk) - NTFS - Total:127 Go (Free:1 Go)
F:\ (Local Disk) - FAT32 - Total:7 Go (Free:0 Go)
G:\ (USB)
H:\ (USB)
I:\ (USB)
J:\ (USB)
K:\ (CD or DVD) - UDF - Total:4 Go (Free:0 Go)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )
Option : [1] ( Sun 04/05/2009|19:49 )

--------------------\\ Listing folders in APPLIC~1

[01/01/2009|10:55] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> DivX
[12/06/2005|01:18] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities
[05/20/2006|02:47] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Intuit
[05/20/2006|03:15] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft
[01/01/2009|10:54] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Mozilla
[05/20/2006|02:30] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Real

[12/06/2005|01:18] C:\DOCUME~1\ADMINI~1.COM\APPLIC~1\<DIR> Identities
[05/20/2006|02:47] C:\DOCUME~1\ADMINI~1.COM\APPLIC~1\<DIR> Intuit
[05/20/2006|03:15] C:\DOCUME~1\ADMINI~1.COM\APPLIC~1\<DIR> Microsoft
[05/20/2006|02:30] C:\DOCUME~1\ADMINI~1.COM\APPLIC~1\<DIR> Real
[05/20/2006|03:10] C:\DOCUME~1\ADMINI~1.COM\APPLIC~1\<DIR> Symantec

[10/06/2008|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[01/01/2009|10:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AcrobatInstall
[05/20/2006|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe
[09/04/2007|02:11] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe Systems
[12/09/2007|05:22] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL
[08/14/2007|05:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> AOL OCP
[12/21/2007|10:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple
[12/25/2007|11:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer
[08/18/2007|09:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> ATI
[08/14/2007|10:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Azureus
[01/02/2009|03:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Backup
[02/26/2009|12:06] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink
[01/27/2009|05:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> DVD Shrink
[01/26/2009|06:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> FLEXnet
[08/14/2007|04:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Google
[05/20/2006|03:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Hewlett-Packard
[05/20/2006|02:32] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> InstallShield
[05/20/2006|02:47] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Intuit
[02/14/2009|05:04] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes
[02/26/2009|01:53] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft
[02/11/2009|07:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Nero
[09/11/2007|08:12] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> NewsBin
[01/04/2009|05:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> OrbNetworks
[05/20/2006|02:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SBSI
[01/02/2009|03:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> sentinel
[02/11/2009|02:40] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Simply Super Software
[12/11/2007|09:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Skype
[12/26/2008|03:28] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SlySoft
[02/26/2009|12:01] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> SmartSound Software Inc
[05/20/2006|02:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sonic
[02/26/2009|02:09] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sony
[02/11/2009|04:45] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec
[03/10/2009|06:18] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP
[03/10/2009|06:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TurboFTP
[08/14/2007|06:50] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage
[02/05/2009|12:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo!


[02/12/2009|11:29] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> .purple
[02/11/2009|05:54] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Adobe
[02/15/2009|12:13] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> AdobeUM
[02/14/2009|06:58] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Aim
[02/13/2009|09:27] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Apple Computer
[04/05/2009|05:57] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> cqafderf
[02/26/2009|12:05] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> CyberLink
[03/15/2009|11:02] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> DivX
[03/23/2009|09:50] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> dvdcss
[04/04/2009|11:22] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> FrostWire
[02/15/2009|04:21] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Help
[02/11/2009|03:59] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> ICQ
[12/06/2005|01:18] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Identities
[05/20/2006|02:47] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Intuit
[02/11/2009|03:51] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Macromedia
[02/14/2009|05:04] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Malwarebytes
[02/11/2009|03:31] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Microsoft
[02/13/2009|02:21] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Mozilla
[02/11/2009|07:39] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Nero
[02/15/2009|04:27] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Opera
[02/26/2009|02:19] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Publish Providers
[02/13/2009|04:37] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Real
[02/26/2009|02:20] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Sony
[02/26/2009|01:21] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Sony Setup
[02/11/2009|08:43] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Sun
[03/10/2009|06:18] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> TurboFTP
[04/05/2009|07:25] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> uTorrent
[02/11/2009|04:00] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> vlc
[02/11/2009|04:10] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> WinRAR
[02/11/2009|03:31] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> X-Chat 2
[02/11/2009|04:19] C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\<DIR> Yahoo!

[12/06/2005|01:18] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities
[05/20/2006|02:47] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Intuit
[05/20/2006|03:15] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft
[05/20/2006|02:30] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Real
[05/20/2006|03:10] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Symantec

[02/26/2009|12:37] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> CyberLink
[02/26/2009|02:05] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[04/03/2009|10:41] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe
[04/04/2009|04:24] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> cqafderf
[03/07/2009|06:01] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia
[05/20/2006|01:59] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft
[04/01/2009|06:40] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Mozilla

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[04/05/2009 07:30 PM][--a------] C:\WINDOWS\tasks\At49.job
[04/04/2009 11:00 PM][--a------] C:\WINDOWS\tasks\At48.job
[04/04/2009 10:00 PM][--a------] C:\WINDOWS\tasks\At47.job
[04/04/2009 08:00 PM][--a------] C:\WINDOWS\tasks\At45.job
[04/04/2009 09:00 PM][--a------] C:\WINDOWS\tasks\At46.job
[04/05/2009 06:00 PM][--a------] C:\WINDOWS\tasks\At43.job
[04/05/2009 07:00 PM][--a------] C:\WINDOWS\tasks\At44.job
[04/05/2009 05:00 PM][--a------] C:\WINDOWS\tasks\At42.job
[04/05/2009 04:00 PM][--a------] C:\WINDOWS\tasks\At41.job
[04/05/2009 02:00 PM][--a------] C:\WINDOWS\tasks\At39.job
[04/05/2009 03:00 PM][--a------] C:\WINDOWS\tasks\At40.job
[04/05/2009 01:00 PM][--a------] C:\WINDOWS\tasks\At38.job
[04/05/2009 12:00 PM][--a------] C:\WINDOWS\tasks\At37.job
[04/05/2009 11:00 AM][--a------] C:\WINDOWS\tasks\At36.job
[04/05/2009 08:00 AM][--a------] C:\WINDOWS\tasks\At33.job
[04/05/2009 10:00 AM][--a------] C:\WINDOWS\tasks\At35.job
[04/05/2009 09:00 AM][--a------] C:\WINDOWS\tasks\At34.job
[04/05/2009 06:00 AM][--a------] C:\WINDOWS\tasks\At31.job
[04/05/2009 07:00 AM][--a------] C:\WINDOWS\tasks\At32.job
[04/05/2009 05:00 AM][--a------] C:\WINDOWS\tasks\At30.job
[04/05/2009 04:00 AM][--a------] C:\WINDOWS\tasks\At29.job
[04/05/2009 03:00 AM][--a------] C:\WINDOWS\tasks\At28.job
[04/05/2009 02:00 AM][--a------] C:\WINDOWS\tasks\At27.job
[04/05/2009 01:00 AM][--a------] C:\WINDOWS\tasks\At26.job
[04/05/2009 12:25 AM][--a------] C:\WINDOWS\tasks\At25.job
[04/04/2009 11:00 PM][--a------] C:\WINDOWS\tasks\At24.job
[04/04/2009 10:00 PM][--a------] C:\WINDOWS\tasks\At23.job
[04/04/2009 09:00 PM][--a------] C:\WINDOWS\tasks\At22.job
[04/05/2009 07:00 PM][--a------] C:\WINDOWS\tasks\At20.job
[04/04/2009 08:00 PM][--a------] C:\WINDOWS\tasks\At21.job
[04/05/2009 05:00 PM][--a------] C:\WINDOWS\tasks\At18.job
[04/05/2009 04:00 PM][--a------] C:\WINDOWS\tasks\At17.job
[04/05/2009 06:00 PM][--a------] C:\WINDOWS\tasks\At19.job
[04/05/2009 03:00 PM][--a------] C:\WINDOWS\tasks\At16.job
[04/05/2009 01:00 PM][--a------] C:\WINDOWS\tasks\At14.job
[04/05/2009 02:00 PM][--a------] C:\WINDOWS\tasks\At15.job
[04/05/2009 11:00 AM][--a------] C:\WINDOWS\tasks\At12.job
[04/05/2009 12:00 PM][--a------] C:\WINDOWS\tasks\At13.job
[04/05/2009 10:00 AM][--a------] C:\WINDOWS\tasks\At11.job
[04/05/2009 08:00 AM][--a------] C:\WINDOWS\tasks\At9.job
[04/05/2009 09:00 AM][--a------] C:\WINDOWS\tasks\At10.job
[04/05/2009 06:00 AM][--a------] C:\WINDOWS\tasks\At7.job
[04/05/2009 07:00 AM][--a------] C:\WINDOWS\tasks\At8.job
[04/05/2009 05:00 AM][--a------] C:\WINDOWS\tasks\At6.job
[04/05/2009 03:00 AM][--a------] C:\WINDOWS\tasks\At4.job
[04/05/2009 02:00 AM][--a------] C:\WINDOWS\tasks\At3.job
[04/05/2009 04:00 AM][--a------] C:\WINDOWS\tasks\At5.job
[04/05/2009 01:00 AM][--a------] C:\WINDOWS\tasks\At2.job
[04/05/2009 12:12 AM][--a------] C:\WINDOWS\tasks\At1.job
[04/05/2009 07:44 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT
[08/04/2004 07:00 AM][-rah-----] C:\WINDOWS\tasks\desktop.ini

--------------------\\ Listing Folders in C:\Program Files

[03/11/2009|04:36] C:\Program Files\<DIR> abgx360
[05/20/2006|02:40] C:\Program Files\<DIR> Adobe
[02/15/2009|12:04] C:\Program Files\<DIR> AIM
[02/14/2009|06:43] C:\Program Files\<DIR> AIM+
[02/06/2008|04:26] C:\Program Files\<DIR> AIM6
[09/16/2007|11:41] C:\Program Files\<DIR> AltBinz
[09/26/2008|02:42] C:\Program Files\<DIR> Apple Software Update
[03/25/2009|04:48] C:\Program Files\<DIR> AskBarDis
[05/20/2006|02:22] C:\Program Files\<DIR> ATI Technologies
[12/25/2007|11:50] C:\Program Files\<DIR> AviSynth 2.5
[01/11/2009|05:04] C:\Program Files\<DIR> Bonjour
[04/05/2009|07:41] C:\Program Files\<DIR> Common Files
[05/20/2006|02:23] C:\Program Files\<DIR> CONEXANT
[02/26/2009|12:03] C:\Program Files\<DIR> CyberLink
[09/08/2007|02:37] C:\Program Files\<DIR> DIFX
[02/11/2009|04:16] C:\Program Files\<DIR> DivX
[08/31/2007|02:15] C:\Program Files\<DIR> DVD Decrypter
[03/14/2009|05:24] C:\Program Files\<DIR> FrostWire
[05/20/2006|03:00] C:\Program Files\<DIR> Google
[02/11/2009|04:34] C:\Program Files\<DIR> Hewlett-Packard
[02/11/2009|04:34] C:\Program Files\<DIR> HP
[03/11/2009|02:12] C:\Program Files\<DIR> HydraIRC
[02/11/2009|04:45] C:\Program Files\<DIR> ICQ6.5
[06/27/2008|08:28] C:\Program Files\<DIR> ImgBurn
[02/26/2009|12:03] C:\Program Files\<DIR> InstallShield Installation Information
[02/26/2009|04:29] C:\Program Files\<DIR> Internet Explorer
[10/06/2008|02:39] C:\Program Files\<DIR> iPod
[02/14/2009|08:16] C:\Program Files\<DIR> iTunes
[05/20/2006|02:10] C:\Program Files\<DIR> Java
[02/11/2009|04:12] C:\Program Files\<DIR> MagicISO
[02/11/2009|06:00] C:\Program Files\<DIR> Messenger
[12/06/2005|01:19] C:\Program Files\<DIR> microsoft frontpage
[02/26/2009|02:17] C:\Program Files\<DIR> Microsoft SQL Server
[05/20/2006|02:44] C:\Program Files\<DIR> Microsoft Visual Studio
[02/11/2009|04:28] C:\Program Files\<DIR> Microsoft Works
[02/26/2009|02:17] C:\Program Files\<DIR> Microsoft.NET
[02/11/2009|05:48] C:\Program Files\<DIR> Movie Maker
[04/05/2009|07:49] C:\Program Files\<DIR> Mozilla Firefox
[08/17/2007|11:15] C:\Program Files\<DIR> MSBuild
[12/06/2005|01:19] C:\Program Files\<DIR> MSN Gaming Zone
[02/26/2009|02:16] C:\Program Files\<DIR> MSXML 6.0
[09/23/2007|05:48] C:\Program Files\<DIR> MTV Networks
[02/11/2009|07:21] C:\Program Files\<DIR> Nero
[02/11/2009|05:48] C:\Program Files\<DIR> NetMeeting
[02/19/2009|04:26] C:\Program Files\<DIR> Opera
[02/11/2009|05:48] C:\Program Files\<DIR> Outlook Express
[02/11/2009|04:40] C:\Program Files\<DIR> PowerISO
[02/11/2009|04:14] C:\Program Files\<DIR> QuickTime
[05/20/2006|02:30] C:\Program Files\<DIR> Real
[08/17/2007|11:10] C:\Program Files\<DIR> Reference Assemblies
[12/11/2007|10:33] C:\Program Files\<DIR> Skype
[08/31/2007|12:38] C:\Program Files\<DIR> SlySoft
[02/26/2009|12:00] C:\Program Files\<DIR> SmartSound Software
[02/26/2009|02:18] C:\Program Files\<DIR> Sony
[02/26/2009|02:12] C:\Program Files\<DIR> Sony Setup
[10/31/2008|11:35] C:\Program Files\<DIR> Sun
[02/14/2009|03:42] C:\Program Files\<DIR> Trend Micro
[03/10/2009|06:18] C:\Program Files\<DIR> TurboFTP
[12/05/2005|03:33] C:\Program Files\<DIR> Uninstall Information
[08/14/2007|04:37] C:\Program Files\<DIR> uTorrent
[08/14/2007|06:06] C:\Program Files\<DIR> VideoLAN
[04/23/2008|08:07] C:\Program Files\<DIR> vso
[02/26/2009|02:09] C:\Program Files\<DIR> Vstplugins
[05/14/2008|07:06] C:\Program Files\<DIR> Wal-Mart Music Downloads Store
[02/11/2009|04:11] C:\Program Files\<DIR> Winamp
[02/11/2009|04:10] C:\Program Files\<DIR> Winamp Remote
[02/26/2009|04:33] C:\Program Files\<DIR> Windows Desktop Search
[08/24/2007|11:46] C:\Program Files\<DIR> Windows Media Components
[03/29/2009|06:24] C:\Program Files\<DIR> Windows Media Connect 2
[02/26/2009|01:47] C:\Program Files\<DIR> Windows Media Player
[02/11/2009|05:48] C:\Program Files\<DIR> Windows NT
[02/11/2009|07:19] C:\Program Files\<DIR> Windows Sidebar
[12/05/2005|03:33] C:\Program Files\<DIR> WindowsUpdate
[02/11/2009|04:09] C:\Program Files\<DIR> WinRAR
[10/31/2008|12:34] C:\Program Files\<DIR> xchat
[02/13/2009|02:19] C:\Program Files\<DIR> xerox
[02/13/2009|02:12] C:\Program Files\<DIR> Yahoo!

--------------------\\ Listing Folders in C:\Program Files\Common Files

[05/20/2006|02:40] C:\Program Files\Common Files\<DIR> Adobe
[09/04/2007|02:11] C:\Program Files\Common Files\<DIR> Adobe Systems Shared
[08/14/2007|06:12] C:\Program Files\Common Files\<DIR> Ahead
[12/09/2007|05:22] C:\Program Files\Common Files\<DIR> AOL
[09/21/2008|11:39] C:\Program Files\Common Files\<DIR> Apple
[09/08/2007|02:37] C:\Program Files\Common Files\<DIR> ComponentOne
[10/14/2008|02:20] C:\Program Files\Common Files\<DIR> GTK
[05/20/2006|02:56] C:\Program Files\Common Files\<DIR> InstallShield
[05/20/2006|02:10] C:\Program Files\Common Files\<DIR> Java
[05/20/2006|02:39] C:\Program Files\Common Files\<DIR> LightScribe
[08/16/2007|03:34] C:\Program Files\Common Files\<DIR> Macrovision Shared
[02/11/2009|04:29] C:\Program Files\Common Files\<DIR> Microsoft Shared
[08/04/2004|07:00] C:\Program Files\Common Files\<DIR> Mozilla Shared
[12/06/2005|01:19] C:\Program Files\Common Files\<DIR> MSSoap
[02/11/2009|07:34] C:\Program Files\Common Files\<DIR> Nero
[12/06/2005|01:19] C:\Program Files\Common Files\<DIR> ODBC
[05/20/2006|02:30] C:\Program Files\Common Files\<DIR> Real
[12/06/2005|01:19] C:\Program Files\Common Files\<DIR> Services
[12/11/2007|09:25] C:\Program Files\Common Files\<DIR> Skype
[12/06/2005|01:19] C:\Program Files\Common Files\<DIR> SpeechEngines
[02/11/2009|05:47] C:\Program Files\Common Files\<DIR> System
[05/20/2006|02:30] C:\Program Files\Common Files\<DIR> xing shared

--------------------\\ Process

( 36 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

C:\DOCUME~1\COMPAQ~1.COM\Cookies\compaq_owner@advertising[1].txt

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN


--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 19:51:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0

--------------------\\ Searching for other infections

C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.1.torrent
C:\DOCUME~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
C:\DOCUME~1\COMPAQ~1.COM\My Documents\AIM FILES\DeadAIMCrack.zip
C:\DOCUME~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI
C:\DOCUME~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\digerati.nfo
C:\DOCUME~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\dppi4301.zip
C:\DOCUME~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\file_id.diz
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen\Photoshop.CS2.KeyGen.exe
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen\Photoshop.CS2.KeyGen.nfo
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\.DS_Store
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\dvdarchitect40a.exe
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\Torrent downloaded from Demonoid.com.txt
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\vegas70d.txt
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\vegas70d_enu.exe
C:\DOCUME~1\COMPAQ~1.COM\My Documents\TORRENTS\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN v3 (2).lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN v3.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN_v3.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\crazycracka.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\DeadAIMCrack.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\PowerISO_v4.3_Incl_Keygen-DIGERATI.lnk


[F:1][D:1]-> C:\DOCUME~1\COMPAQ~1.COM\LOCALS~1\Temp
[F:86][D:0]-> C:\DOCUME~1\COMPAQ~1.COM\Cookies
[F:1][D:0]-> C:\DOCUME~1\COMPAQ~1.COM\LOCALS~1\TEMPOR~1\content.IE5

1 - "C:\Lop SD\LopR_1.txt" - Sun 04/05/2009|19:51 - Option : [1]

--------------------\\ Scan completed at 19:51:50

[billpete]

and here is the content of C:\Qoobox\Add-Remove Programs.txt

"Nero SoundTrax Help
µTorrent
AAC Decoder
abgx360 v1.0.0
Activation (Blu-ray Video Plug-in)
Activation (Nero 9 HD)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.5
Advertising Center
AIM Ad Hack
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
Ask Toolbar
ATI Control Panel
ATI Display Driver
AutoUpdate
Blu-ray Disc Authoring Plug-in
Bonjour
CloneCD
Critical Update for Windows Media Player 11 (KB959772)
CyberLink PhotoNow
CyberLink PowerDirector
Data Fax SoftModem with SmartCP
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DolbyFiles
DTS Plug-in
DVD Decrypter (Remove Only)
FrostWire 4.17.2
Gracenote Plug-in
GTK+ Runtime 2.14.6 rev a (remove only)
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP Boot Optimizer
HpSdpAppCoreApp
HydraIRC
ICQ6.5
ImagXpress
iTunes
J2SE Runtime Environment 5.0 Update 5
Java™ 6 Update 12
LightScribe 1.4.84.1
Magic ISO Maker v5.5 (build 0261)
Menu Templates - Starter Kit
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SONY_MEDIAMGR2)
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MKV Splitter
Movie Templates - Starter Kit
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB954430)
MSXML 6.0 Parser
Nero 9
Nero BackItUp 4
Nero BurningROM
Nero BurnRights
Nero ControlCenter
Nero CoverDesigner
Nero CoverDesigner Help
Nero Disc Copy Gadget
Nero Disc Copy Gadget Help
Nero DiscSpeed
Nero DriveSpeed
Nero Express
Nero InfoTool
Nero Installer
Nero Live
Nero Live Help
Nero Move it
Nero PhotoSnap
Nero PhotoSnap Help
Nero Recode
Nero Recode Help
Nero Rescue Agent
Nero RescueAgent Help
Nero ShowTime
Nero StartSmart
Nero StartSmart Help
Nero Vision
Nero WaveEditor
Nero WaveEditor Help
NeroBurningROM
NeroExpress
neroxml
PowerISO
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
SmartSound Quicktracks Plugin
Sonic Update Manager
Sony Media Manager 2.3
Sony Vegas Pro 8.0
SoundTrax
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
VLC media player 0.9.8a
WebFldrs XP
Winamp
Winamp Remote
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
wIRC v9.0
XChat 2 (remove only)
Yahoo! Messenger

[heir]

Oh, no wonders that you got infected! Your unprotected.

The source of your infections is likely related to all the cracks and keygens that I found on your computer. If you are truly interested in staying clean in the future, I strongly recommend that you stay away from Cracks and Keygens. Failure to heed my warning may result in the reinfection of your computer. If you choose to continue down this path, we may not be able to help you here in the future.


Step 1.
Uninstall unwanted software:

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

Ask Toolbar
µTorrent
Azureus
FrostWire 4.17.2
Vuze


Optional removals
µTorrent, Azureus, FrostWire, Vuze and P2P programs in general are legal themselves, but much of the content downloaded with them is downloaded illegally. They are also a great way to infect yourself with malware.
It's up to you if you want to remove the above programs, however I recommend you do.

Ask Toolbar - Read this and make up your own mind.


Step 2.
Antivirus software:

One AV is a must have! But never more than one, as this can and will cause conflicts and false readings. I have listed three free AV's below which are as good as any paid subscription AV, as long as you allow them to update themselves.

Anti Virus Programs

• avast! 4 Home Edition an excellent free AV.
• AVG Anti-Virus Free Edition 8.0 is free for personal use.
• Avira AntiVir PersonalEdition, yet another good free AV.

Install one of them update the virusdefinitions and scan your computer.


Step 3.
CFScript:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Atjob::
File::
c:\windows\system32\q37SRk5a.exe
c:\windows\system32\6l0Wf2rh.exe
c:\windows\system32\qbrlfys.dll
C:\DOCUME~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.1.torrent
C:\DOCUME~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG
C:\DOCUME~1\COMPAQ~1.COM\My Documents\TORRENTS\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN v3 (2).lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN v3.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\CracKaLakiN_v3.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\crazycracka.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\DeadAIMCrack.lnk
C:\DOCUME~1\COMPAQ~1.COM\Recent\PowerISO_v4.3_Incl_Keygen-DIGERATI.lnk
Folder::
C:\DOCUME~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI
C:\DOCUME~1\COMPAQ~1.COM\My Documents\AIM FILES
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen
C:\DOCUME~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
"FirewallOverride"=dword:00000000
[HKLM\SYSTEM\CurrentContolSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
c:\Program Files\uTorrent\uTorrent.exe=-
c:\Program Files\FrostWire\FrostWire.exe=-
Dirlook::
C:\DOCUME~1\COMPAQ~1.COM\APPLIC~1\cqafderf
C:\DOCUME~1\NETWOR~1\APPLIC~1\cqafderf

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Step 4.
Things I would like to see in your reply:

• Which P2P software were uninstalled in step 1.
• Which Antivirussoftware was installed in step 2.
• The content of C:\ComboFix.txt from step 3.

[billpete]

I removed the ask tool bar but azureus and vuze were no longer in the add/remove programs list. I also installed the avast! antivirus program. Below is the Combofix log you requested.

COMBOFIX LOG:

ComboFix 09-04-04.01 - Compaq_Owner 2009-04-07 4:31:17.15 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.958.605 [GMT -4:00]
Running from: c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\docume~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.1.torrent
c:\docume~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG
c:\docume~1\COMPAQ~1.COM\My Documents\TORRENTS\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN v3 (2).lnk
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN v3.lnk
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN_v3.lnk
c:\docume~1\COMPAQ~1.COM\Recent\crazycracka.lnk
c:\docume~1\COMPAQ~1.COM\Recent\DeadAIMCrack.lnk
c:\docume~1\COMPAQ~1.COM\Recent\PowerISO_v4.3_Incl_Keygen-DIGERATI.lnk
c:\windows\system32\6l0Wf2rh.exe
c:\windows\system32\q37SRk5a.exe
c:\windows\system32\qbrlfys.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.1.torrent
c:\docume~1\COMPAQ~1.COM\Application Data\uTorrent\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\AIM Ad Hack 4.16.exe
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\aimadmin.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\AIMCheck.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\changeit.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\cybercrimespwl.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\deadaim.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\DeadAIMCrack.zip
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\Jon8RFC_adremover_6089.exe
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\a.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\b.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\c.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\d.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\e.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\f.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\g.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\h.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\i.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\j.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\k.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\l.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\m.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\n.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\o.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\p.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\q.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\r.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\s.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\t.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\u.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\v.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\w.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\x.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\y.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [big]\z.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [little]\pwl[1].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [little]\pwl[2].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Common PWL [little]\pwl[3].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\HTML_VB\HTML [1].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\HTML_VB\VB [1].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Numbers\#[1].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Numbers\#[2].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Numbers\#[3].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Numbers\#[4].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Numbers\#[5].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Other List's\Other PWL [1].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Other List's\Other PWL [2].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Other List's\Other PWL [3].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Other List's\Other PWL [4].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Other List's\Other PWL [5].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[10].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[16].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[4].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[5].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[6].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[7].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[8].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Random PWs\Random PW[9].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Screen Names\3Character [Leet].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\Screen Names\3Character [R_Letters].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\Abbrev [AOL].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\Colors [Lcase].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\Colors [Ucase].txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\Country.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\L33t.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL!\The Rest\US_States.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWL1.txt
c:\docume~1\COMPAQ~1.COM\My Documents\AIM FILES\PWLS.zip
c:\docume~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI
c:\docume~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\digerati.nfo
c:\docume~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\dppi4301.zip
c:\docume~1\COMPAQ~1.COM\My Documents\Downloads\PowerISO_v4.3_Incl_Keygen-DIGERATI\file_id.diz
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen\Photoshop.CS2.KeyGen.exe
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Photoshop CS2 KeyGen\Photoshop.CS2.KeyGen.nfo
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\.DS_Store
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\dvdarchitect40a.exe
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\Torrent downloaded from Demonoid.com.txt
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\vegas70d.txt
c:\docume~1\COMPAQ~1.COM\My Documents\SETUPfiles\Sony.Vegas.v7.0d.Incl.Keygen-SSG\vegas70d_enu.exe
c:\docume~1\COMPAQ~1.COM\My Documents\TORRENTS\PowerISO_v4.3_Incl_Keygen-DIGERATI.torrent
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN v3 (2).lnk
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN v3.lnk
c:\docume~1\COMPAQ~1.COM\Recent\CracKaLakiN_v3.lnk
c:\docume~1\COMPAQ~1.COM\Recent\crazycracka.lnk
c:\docume~1\COMPAQ~1.COM\Recent\DeadAIMCrack.lnk
c:\docume~1\COMPAQ~1.COM\Recent\PowerISO_v4.3_Incl_Keygen-DIGERATI.lnk
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-07 04:29 . 2009-04-07 04:29 <DIR> d-------- c:\program files\Alwil Software
2009-04-05 17:57 . 2009-04-05 17:57 <DIR> d-------- c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\cqafderf
2009-04-05 16:46 . 2009-04-05 19:51 <DIR> d-------- C:\Lop SD
2009-04-04 16:24 . 2009-04-04 16:24 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\cqafderf
2009-04-01 02:34 . 2006-05-20 02:46 <DIR> d-------- c:\documents and settings\Administrator.COMPAQMEDIA\WINDOWS
2009-04-01 02:34 . 2009-04-01 02:34 <DIR> d-------- c:\documents and settings\Administrator.COMPAQMEDIA
2009-03-11 14:12 . 2009-03-11 14:12 <DIR> d-------- c:\program files\HydraIRC
2009-03-11 14:08 . 2009-04-01 17:01 <DIR> d-------- C:\wIRC
2009-03-11 14:08 . 2009-03-11 16:36 <DIR> d-------- c:\program files\abgx360
2009-03-10 18:17 . 2009-03-10 18:18 <DIR> d-------- c:\program files\TurboFTP
2009-03-10 18:17 . 2009-03-10 18:18 <DIR> d-------- c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\TurboFTP
2009-03-10 18:17 . 2009-03-10 18:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\TurboFTP
2009-03-07 03:03 . 2009-03-07 03:03 742,770 --a------ c:\windows\system32\abgx360.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 08:31 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\uTorrent
2009-04-06 07:42 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\dvdcss
2009-04-05 03:22 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\FrostWire
2009-03-29 22:24 --------- d-----w c:\program files\Windows Media Connect 2
2009-03-16 03:02 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\DivX
2009-03-14 09:24 --------- d-----w c:\program files\FrostWire
2009-03-10 22:18 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 08:33 --------- d-----w c:\program files\Windows Desktop Search
2009-02-26 06:20 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Sony
2009-02-26 06:19 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Publish Providers
2009-02-26 06:18 --------- d-----w c:\program files\Sony
2009-02-26 06:17 --------- d-----w c:\program files\Microsoft.NET
2009-02-26 06:17 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-26 06:16 --------- d-----w c:\program files\MSXML 6.0
2009-02-26 06:12 --------- d-----w c:\program files\Sony Setup
2009-02-26 06:09 --------- d-----w c:\program files\Vstplugins
2009-02-26 06:09 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2009-02-26 05:21 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Sony Setup
2009-02-26 04:37 --------- d-----w c:\documents and settings\LocalService\Application Data\CyberLink
2009-02-26 04:06 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-02-26 04:05 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\CyberLink
2009-02-26 04:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 04:03 --------- d-----w c:\program files\CyberLink
2009-02-26 04:01 --------- d-----w c:\documents and settings\All Users\Application Data\SmartSound Software Inc
2009-02-26 04:00 --------- d-----w c:\program files\SmartSound Software
2009-02-19 08:26 --------- d-----w c:\program files\Opera
2009-02-19 05:35 937,472 ----a-w c:\windows\system32\rn.tmp
2009-02-15 04:13 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\AdobeUM
2009-02-15 04:04 --------- d-----w c:\program files\AIM
2009-02-15 00:16 --------- d-----w c:\program files\iTunes
2009-02-14 22:58 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Aim
2009-02-14 22:43 --------- d-----w c:\program files\AIM+
2009-02-14 09:04 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Malwarebytes
2009-02-14 09:04 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-14 08:02 578,560 ----a-w c:\windows\system32\dllcache\user32.dll
2009-02-14 07:42 --------- d-----w c:\program files\Trend Micro
2009-02-14 01:27 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Apple Computer
2009-02-13 06:12 --------- d-----w c:\program files\Yahoo!
2009-02-13 03:29 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\.purple
2009-02-12 21:21 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-11 11:39 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Nero
2009-02-11 11:34 --------- d-----w c:\program files\Common Files\Nero
2009-02-11 11:21 --------- d-----w c:\program files\Nero
2009-02-11 11:19 --------- d-----w c:\program files\Windows Sidebar
2009-02-11 11:13 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2009-02-11 09:50 61,440 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemutil.dll
2009-02-11 09:50 45,056 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\uninstallUI\eHelpSetup.exe
2009-02-11 09:50 44,032 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\Scripts\devcon.exe
2009-02-11 09:50 40,960 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\ScDmi.dll
2009-02-11 09:50 341,048 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\HPBasicDetection3.dll
2009-02-11 09:50 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\uploadHSC.dll
2009-02-11 09:50 32,768 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\Scom.dll
2009-02-11 09:50 217,088 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
2009-02-11 09:50 163,840 ----a-w c:\windows\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\modemcheck.dll
2009-02-11 08:45 --------- d-----w c:\program files\ICQ6.5
2009-02-11 08:45 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-02-11 08:40 --------- d-----w c:\program files\PowerISO
2009-02-11 08:34 --------- d-----w c:\program files\HP
2009-02-11 08:34 --------- d-----w c:\program files\Hewlett-Packard
2009-02-11 08:28 --------- d-----w c:\program files\Microsoft Works
2009-02-11 08:19 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Yahoo!
2009-02-11 08:16 --------- d-----w c:\program files\DivX
2009-02-11 08:14 --------- d-----w c:\program files\QuickTime
2009-02-11 08:12 --------- d-----w c:\program files\MagicISO
2009-02-11 08:11 --------- d-----w c:\program files\Winamp
2009-02-11 08:10 --------- d-----w c:\program files\Winamp Remote
2009-02-11 08:00 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\vlc
2009-02-11 07:59 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\ICQ
2009-02-11 07:31 --------- d-----w c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\X-Chat 2
2009-02-11 07:26 1,965 --sha-r c:\windows\system32\drivers\103C_HP_CPC_EX321AA-ABA SR1930NX NA630_YC_0Pres_QCNH621_E63NAheREA2_48_IAltair_SASUSTeK Computer INC._V1.00_B3.03_T060519_WXH2_L409_M959_J200_7Intel_8Pentium 4_93.07_#070814_N10EC8139_Z14F12F20_G10025A61.MRK
2009-02-11 06:40 --------- d-----w c:\documents and settings\All Users\Application Data\Simply Super Software
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 02:35 3,594,752 ------w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 19:45 73,728 ----a-w c:\windows\system32\RtNicProp32.dll
2007-12-12 01:26 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf ----

2009-04-05 17:59 65536 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\cert8.db
2009-04-05 17:59 2048 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\cookies.sqlite
2009-04-05 17:58 569 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\localstore.rdf
2009-04-05 17:58 131072 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\places.sqlite
2009-04-05 17:58 10946 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\pluginreg.dat
2009-04-05 17:58 0 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\places.sqlite-journal
2009-04-05 17:57 96173 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\xpti.dat
2009-04-05 17:57 4096 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\formhistory.sqlite
2009-04-05 17:57 367 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\prefs.js
2009-04-05 17:57 207 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\compatibility.ini
2009-04-05 17:57 2048 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\webappsstore.sqlite
2009-04-05 17:57 2048 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\permissions.sqlite
2009-04-05 17:57 16384 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\secmod.db
2009-04-05 17:57 16384 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\key3.db
2009-04-05 17:57 127820 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\Profiles\i2ub0fot.default\compreg.dat
2009-04-05 17:57 111 --a------ c:\docume~1\COMPAQ~1.COM\APPLIC~1\cqafderf\profiles.ini

---- Directory of c:\docume~1\NETWOR~1\APPLIC~1\cqafderf ----

2009-04-05 00:38 2048 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\cookies.sqlite
2009-04-05 00:36 2048 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\webappsstore.sqlite
2009-04-05 00:36 0 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\places.sqlite-journal
2009-04-05 00:33 96173 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\xpti.dat
2009-04-05 00:33 367 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\prefs.js
2009-04-05 00:33 207 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\compatibility.ini
2009-04-05 00:33 131072 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\places.sqlite
2009-04-05 00:33 127885 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\compreg.dat
2009-04-04 16:25 65536 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\cert8.db
2009-04-04 16:24 569 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\localstore.rdf
2009-04-04 16:24 4096 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\formhistory.sqlite
2009-04-04 16:24 2048 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\permissions.sqlite
2009-04-04 16:24 16384 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\secmod.db
2009-04-04 16:24 16384 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\key3.db
2009-04-04 16:24 111 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\profiles.ini
2009-04-04 16:24 10946 --a------ c:\docume~1\NETWOR~1\APPLIC~1\cqafderf\Profiles\e7ws74zh.default\pluginreg.dat


((((((((((((((((((((((((((((( SnapShot@2009-04-05_19.48.05.67 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-05 20:11:35 1,256,296 ----a-w c:\windows\system32\aswBoot.exe
+ 2009-02-05 20:04:45 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2009-02-05 20:05:11 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2009-02-05 20:07:12 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2009-02-05 20:08:19 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2009-02-05 20:08:10 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2009-02-05 20:06:10 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2009-02-05 20:07:23 114,768 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2009-02-05 20:06:20 51,376 ----a-w c:\windows\system32\drivers\aswTdi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-20 180269]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 c:\windows\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2009-02-15 00:04 67112 c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 15:21 57344 c:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
--a------ 2008-12-17 09:36 172792 c:\program files\ICQ6.5\ICQ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2009-02-04 17:57 4363504 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-03-31 21:54 507904 c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2008-11-02 04:38 167936 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-02-12 17:21 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-20 02:30 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"LightScribeService"=2 (0x2)
"iPod Service"=3 (0x3)
"Nero BackItUp Scheduler 4.0"=2 (0x2)
"MDM"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"IDriverT"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\ICQ6.5\\ICQ.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\xchat\\xchat.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=

S3 MSSQL$SONY_MEDIAMGR2;SQL Server (SONY_MEDIAMGR2);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2007-02-10 29178224]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner.COMPAQMEDIA\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 04:35:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-983352657-3560731182-2007119311-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-983352657-3560731182-2007119311-1009\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{988DF640-7566-F1B8-8014-8008F1564F95}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jahjoafjikmbknpfbmnl"=hex:6a,61,64,70,69,68,6a,6c,68,6c,63,65,61,70,6b,6a,63,
6a,6e,6f,00,f2
"iabjanjnllamdkllcj"=hex:6a,61,64,70,69,68,6a,6c,68,6c,63,65,61,70,6b,6a,63,6a,
6e,6f,00,f2
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-07 4:37:02
ComboFix-quarantined-files.txt 2009-04-07 08:37:00
ComboFix2.txt 2009-04-05 23:48:49

Pre-Run: 7,784,554,496 bytes free
Post-Run: 7,767,633,920 bytes free

402 --- E O F --- 2009-03-14 07:01:23

[heir]

I removed the ask tool bar but azureus and vuze were no longer in the add/remove programs list. I also installed the avast! antivirus program.

What about Frostwire and µTorrent then? Where they uninstalled or not?

Step 1.
Clean temp locations:

Please download ATF Cleaner by Atribune.
Caution: This program is for Windows 2000, XP and Vista onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 2.
Scan with MABM:

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Step 3.
Scan with Kaspersky Online Scanner:

Please do an online scan with Kaspersky Online Scanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 13.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u13-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

Step 4.
Things I would like to see in your reply:

• Answer to my question in the beginning of thois post.
• The content of the report from MBAM from Step 2.
• The content of the report from Kaspersky Online Scanner from Step 3.
• Information on how your computer is running now.

Edited by heir, 08 April 2009 - 12:28 AM.

[billpete]

Sorry it took so long for a response, the scan took a pretty long time. Also no utorrent and frostwire were not uninstalled. The computer still runs a little slow and I still get redirected occasionally although it's more rare now.

Below is the MBAM scan report you requested along with the Kaspersky Online Scan report.


MBAM scan report:

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 3

4/10/2009 8:13:23 AM
mbam-log-2009-04-10 (08-13-23).txt

Scan type: Quick Scan
Objects scanned: 76181
Time elapsed: 4 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kkeverokowucafo (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: kbukbap.dll -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\kbukbap.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\obenumatoy.dll (Trojan.Agent) -> Delete on reboot.


Kaspersky Online Scan report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 12, 2009 05:23:56
Records in database: 2036368
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 146557
Threat name: 13
Infected objects: 43
Suspicious objects: 0
Duration of the scan: 42:45:09


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Desktop\wIRC_9.0_.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Desktop\wIRC_9.0_.exe Infected: not-a-virus:NetTool.Win32.Scan.12 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Desktop\wIRC_9.0_.exe Infected: not-a-virus:Server-FTP.Win32.Tftpd.b 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-3545425-photo sleeperstar.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4045425-photo sleeperstar (best quality).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4170999-photo sleeperstar(Disk 1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4224012-photo sleeperstar HIT TOP50.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4506748-photo sleeperstar-HQ.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-3545425-photo sleeperstar.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4045425-photo sleeperstar (best quality).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-photo sleeperstar(Disk 1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-tonight trendust(Disk 1).mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4188670-disconnected face to(Club RMX).mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-photo sleeperstar HIT TOP50.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-tonight trendust HIT TOP50.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4390841-photo sleeperstar [new album].au Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4506748-photo sleeperstar-HQ.mp3 Infected: Trojan-Downloader.WMA.GetCodec.v 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\vnc-E4_2_6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_sdra64_.exe.zip Infected: Trojan-Spy.Win32.Zbot.gen 1
C:\wIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\wIRC\Tools\portscan.exe Infected: not-a-virus:NetTool.Win32.Scan.12 1
C:\wIRC\Tools\tftpd32.exe Infected: not-a-virus:Server-FTP.Win32.Tftpd.b 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\Real VNC Enterprise 4.2.8 with Keygen.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\Real VNC Enterprise 4.2.8 with Keygen.rar Infected: Trojan-Downloader.Win32.Banload.myh 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\WindowBlinds 4.6 Enhanced w-Keygen&Vista Theme.rar Infected: Backdoor.Win32.Rbot.pwi 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\Windows_XP_Activation_Crack.zip Infected: Trojan.BAT.Small.ai 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\Real VNC Enterprise 4.2.8 with Keygen.rar Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\Real VNC Enterprise 4.2.8 with Keygen.rar Infected: Trojan-Downloader.Win32.Banload.myh 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\WindowBlinds 4.6 Enhanced w-Keygen&Vista Theme.rar Infected: Backdoor.Win32.Rbot.pwi 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\Windows_XP_Activation_Crack.zip Infected: Trojan.BAT.Small.ai 1
D:\BACKUPS\SETUPfiles\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
D:\BACKUPS\SETUPfiles\vnc-E4_2_6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\I386\APPS\APP20620\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
F:\I386\APPS\APP20620\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

[heir]

Let's remove what's found so far then and do a couple of scans again.

Step 1.
OTL-fix:

Run OTListIt2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  :Files
  C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-3545425-photo sleeperstar.mp3 
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4045425-photo sleeperstar (best quality).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4170999-photo sleeperstar(Disk 1).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4224012-photo sleeperstar HIT TOP50.mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4506748-photo sleeperstar-HQ.mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-3545425-photo sleeperstar.mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4045425-photo sleeperstar (best quality).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-photo sleeperstar(Disk 1).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-tonight trendust(Disk 1).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4188670-disconnected face to(Club RMX).mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-photo sleeperstar HIT TOP50.mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-tonight trendust HIT TOP50.mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4390841-photo sleeperstar [new album].au 
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4506748-photo sleeperstar-HQ.mp3
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post the OTL2 fixlog

Step 2.
Goored-scan:

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2

• Double-click GooredFix.exe to run it.
• Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: Do not run Option #2 yet.

Step 3.
MBAM:

Update and scan with MBAM again and post the log

Step 4.
Things I would like to see in your reply:

• The content of the fixlog from OTL2 in step 1.
• The content of GooredLog.txt from step 2.
• The content of the log from MBAM in step 3.

[billpete]

OTL2 fix Log:

========== OTLISTIT ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus moved successfully.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-3545425-photo sleeperstar.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4045425-photo sleeperstar (best quality).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4170999-photo sleeperstar(Disk 1).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4224012-photo sleeperstar HIT TOP50.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\Preview-T-4506748-photo sleeperstar-HQ.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-3545425-photo sleeperstar.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4045425-photo sleeperstar (best quality).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-photo sleeperstar(Disk 1).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4170999-tonight trendust(Disk 1).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4188670-disconnected face to(Club RMX).mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-photo sleeperstar HIT TOP50.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4224012-tonight trendust HIT TOP50.mp3 not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4390841-photo sleeperstar [new album].au not found.
File/Folder C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4506748-photo sleeperstar-HQ.mp3 not found.
========== COMMANDS ==========
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\temp\etilqs_hbhxMtE5k4Ty3IneFrea scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_718.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.14.0 log created on 04142009_211048

Files moved on Reboot...
File C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\temp\etilqs_hbhxMtE5k4Ty3IneFrea not found!
File C:\WINDOWS\temp\Perflib_Perfdata_718.dat not found!
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\Mozilla\Firefox\Profiles\8v7fle8h.default\XUL.mfl moved successfully.

Registry entries deleted on Reboot...


Goored Log:

GooredFix v1.92 by jpshortstuff
Log created at 21:14 on 14/04/2009 running Option #1 (Compaq_Owner)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"="C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"="C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


MBAM Log:

Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 5.1.2600 Service Pack 3

4/14/2009 9:20:50 PM
mbam-log-2009-04-14 (21-20-50).txt

Scan type: Quick Scan
Objects scanned: 75934
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[heir]

I think we've found the root of this problem.
Let's fix it.

Please double-click GooredFix.exe on your Desktop to run it.

• Select "2. Fix Goored" by typing 2 and pressing Enter.
• Make sure all instances of Firefox are closed at this point.
• Type y at the prompt and press Enter again.
• A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).

Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.


Please also do a Kaspersky Online Scan again and post the report in you reply

[billpete]

here is the goored fix log you asked for along with a new Kaspersky Online Scan log.

GooredFix Log:

GooredFix v1.92 by jpshortstuff
Log created at 04:04 on 15/04/2009 running Option #2 (Compaq_Owner)
Firefox version 3.0.8 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"="C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\Local Settings\Application Data\{1CF5E21F-32FF-4E04-93FB-033881FE4E1A}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"[email protected]"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\"


KASPERSKY ONLINE SCAN LOG:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, April 18, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, April 16, 2009 12:08:33
Records in database: 2050410
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 147532
Threat name: 7
Infected objects: 22
Suspicious objects: 0
Duration of the scan: 45:53:35


File name / Threat name / Threats count
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4320425-follow me home years gone by [256k quality].mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4380953-follow me home years gone by 320k bitrate quality.snd Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\vnc-E4_2_6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\wIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\wIRC\Tools\tftpd32.exe Infected: not-a-virus:Server-FTP.Win32.Tftpd.b 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\WindowBlinds 4.6 Enhanced w-Keygen&Vista Theme.rar Infected: Backdoor.Win32.Rbot.pwi 1
C:\_OTListIt\MovedFiles\02182009_121059\BACKUPS\SETUPfiles\Windows_XP_Activation_Crack.zip Infected: Trojan.BAT.Small.ai 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\WindowBlinds 4.6 Enhanced w-Keygen&Vista Theme.rar Infected: Backdoor.Win32.Rbot.pwi 1
C:\_OTListIt\MovedFiles\02182009_121059\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\SETUPfiles\Windows_XP_Activation_Crack.zip Infected: Trojan.BAT.Small.ai 1
D:\BACKUPS\SETUPfiles\vnc-4_1_2-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 4
D:\BACKUPS\SETUPfiles\vnc-E4_2_6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
F:\I386\APPS\APP20620\src\CompaqPresario_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2
F:\I386\APPS\APP20620\src\HPPavillion_Spring06.exe Infected: not-a-virus:AdWare.Win32.WeatherBug.a 2

The selected area was scanned.

Edited by billpete, 18 April 2009 - 06:46 AM.

[heir]

Run OTListIt2.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTLI
  PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
  :Files
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4320425-follow me home years gone by [256k quality].mp3
  C:\Documents and Settings\Compaq_Owner.COMPAQMEDIA\My Documents\Incomplete\T-4380953-follow me home years gone by 320k bitrate quality.snd
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• Then post a new OTL2 log

Are you still getting redirected?