Infection from a screen saver download [Solved]

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

Infection from a screen saver download [Solved] Trojan Agent and Rootkit.Bagle

#1 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 22 May 2009 - 03:29 PM

This is embarrassing guys. All I did was add a screensaver from what I thought was a good source and I got hit with this. Now my Avast, Super Anti Spyware and ATF will not run. Thanks in advance. Required logs below.

Malwarebytes' Anti-Malware 1.36
Database version: 2167
Windows 5.1.2600 Service Pack 3

5/22/2009 4:13:10 PM
mbam-log-2009-05-22 (16-13-10).txt

Scan type: Quick Scan
Objects scanned: 84923
Time elapsed: 11 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sk9ou0s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sk9ou0s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sk9ou0s (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Delete on reboot.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\german.exe (Rootkit.Bagle) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\drvsyskit (Rootkit.Bagle) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mule_st_key (Rootkit.Bagle) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Elvis\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Elvis\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Elvis\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Elvis\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Elvis\Application Data\drivers\srosa2.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Elvis\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Elvis\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Elvis\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

Rooter:

Microsoft Windows XP Professional (5.1.2600) Service Pack 3

C:\ [Fixed] - NTFS - (Total:78520 Mo/Free:420 Mo)
D:\ [Fixed] - NTFS - (Total:78528 Mo/Free:472 Mo)
E:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)
F:\ [Fixed] - NTFS - (Total:238472 Mo/Free:1017 Mo)

Fri 05/22/2009|16:16

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\LEXBCES.EXE
---------- C:\WINDOWS\system32\LEXPPS.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\wdfmgr.exe
---------- C:\WINDOWS\system32\wbem\wmiprvse.exe
---------- C:\Program Files\Google\Quick Search Box\qsb.exe
---------- C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
---------- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
---------- C:\Advanced SystemCare 3\AWC.exe
---------- C:\ICQ\ICQ.exe
---------- C:\Program Files\Portrait Displays\Pivot Software\floater.exe
---------- C:\Documents and Settings\Elvis\Application Data\drivers\winupgro.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

C:\WINDOWS\System32\ban_list.txt
C:\DOCUME~1\Elvis\APPLIC~1\drivers\srosa2.sys
C:\DOCUME~1\Elvis\APPLIC~1\drivers\wfsintwq.sys
C:\DOCUME~1\Elvis\APPLIC~1\drivers\winupgro.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\101500.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\104203.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\104718.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\105062.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\105656.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\107437.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\107859.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\108015.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\108265.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\109406.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\115062.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\115078.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\118062.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\118937.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\119343.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\119859.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\120703.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\121500.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\125781.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\126718.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\127046.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\149765.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\150312.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\167406.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\169203.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\170515.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\185812.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\188937.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\189328.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\199562.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\212437.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\213734.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\214843.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\225359.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\226437.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\226609.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\235453.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\285906.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\287515.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\288359.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\313250.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\314078.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\314562.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\330812.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\331718.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\332578.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\336359.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\338609.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\338812.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\341437.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\342656.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\343828.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\344062.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\344750.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\345656.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\347343.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\348781.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\348906.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\350625.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\351234.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\351250.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\356812.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\359500.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\360609.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\361125.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\361437.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\361781.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\362062.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\362296.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\362765.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\380750.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\540078.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\540703.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\540765.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\671421.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\673203.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\673406.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\686109.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\686937.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\687187.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\692937.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\696953.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\698734.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\699781.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\701015.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\702046.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\702109.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\88468.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\95343.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld\95390.exe
C:\DOCUME~1\Elvis\APPLIC~1\drivers\downld
C:\DOCUME~1\Elvis\APPLIC~1\drivers
==> BAGLE <==

----------------------\\ ROOTKIT !!

HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\ControlSet003\Enum\Root\LEGACY_SROSA
HKLM\SYSTEM\ControlSet003\Services\srosa
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA

----------------------\\ Cracks & Keygens..

C:\DOCUME~1\Elvis\Desktop\Office Xp\2003_Windows_XP_Pro_or_Office-XP_keygen_computes_unique_cd-keys.zip

1 - "C:\Rooter$\Rooter_1.txt" - Thu 03/12/2009|12:12
2 - "C:\Rooter$\Rooter_2.txt" - Thu 03/12/2009|12:13
3 - "C:\Rooter$\Rooter_3.txt" - Thu 03/12/2009|16:36
4 - "C:\Rooter$\Rooter_4.txt" - Fri 05/22/2009|16:05
5 - "C:\Rooter$\Rooter_5.txt" - Fri 05/22/2009|16:19

----------------------\\ Scan completed at 16:19

OTListit:

ent and OTListIt logfile created on: 5/22/2009 4:20:01 PM - Run 2
OTListIt2 by OldTimer - Version 2.0.15.8 Folder = C:\Documents and Settings\Elvis\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.97 Gb Total Physical Memory | 1.49 Gb Available Physical Memory | 75.65% Memory free
3.82 Gb Paging File | 3.51 Gb Available in Paging File | 91.86% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 76.68 Gb Total Space | 60.41 Gb Free Space | 78.78% Space Free | Partition Type: NTFS
Drive D: | 76.69 Gb Total Space | 68.46 Gb Free Space | 89.27% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 232.88 Gb Total Space | 140.99 Gb Free Space | 60.54% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: RONALD
Current User Name: Elvis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Output = Minimal
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
PRC - C:\WINDOWS\system32\LEXPPS.EXE (Lexmark International, Inc.)
PRC - C:\WINDOWS\Explorer.EXE (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe ()
PRC - C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
PRC - C:\Program Files\Google\Quick Search Box\qsb.exe (Google Inc.)
PRC - C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe ()
PRC - C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
PRC - C:\Advanced SystemCare 3\AWC.exe (IObit)
PRC - C:\ICQ\ICQ.exe (ICQ Inc.)
PRC - C:\Program Files\Portrait Displays\Pivot Software\floater.exe ()
PRC - C:\Documents and Settings\Elvis\Application Data\drivers\winupgro.exe ()
PRC - C:\Mozilla Firefox\firefox.exe (Mozilla Corporation)
PRC - C:\WINDOWS\system32\wbem\wmiprvse.exe (Microsoft Corporation)
PRC - C:\Documents and Settings\Elvis\Desktop\OTListIt2.exe (OldTimer Tools)
PRC - C:\WINDOWS\system32\wintems.exe ()

========== Win32 Services (SafeList) ==========

SRV - (aspnet_state [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (Microsoft Corporation)
SRV - (aswUpdSv [Disabled | Stopped]) -- C:\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (avast! Antivirus [Disabled | Stopped]) -- C:\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner [Disabled | Stopped]) -- C:\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner [Disabled | Stopped]) -- C:\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (clr_optimization_v2.0.50727_32 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Microsoft Corporation)
SRV - (DTSRVC [Auto | Running]) -- C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe ()
SRV - (FontCache3.0.0.0 [On_Demand | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe (Microsoft Corporation)
SRV - (gusvc [On_Demand | Stopped]) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)
SRV - (helpsvc [Auto | Running]) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll (Microsoft Corporation)
SRV - (idsvc [Unknown | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (Microsoft Corporation)
SRV - (JavaQuickStarterService [Auto | Running]) -- C:\Program Files\Java\jre6\bin\jqs.exe (Sun Microsystems, Inc.)
SRV - (LexBceS [Auto | Running]) -- C:\WINDOWS\system32\LEXBCES.EXE (Lexmark International, Inc.)
SRV - (NetTcpPortSharing [Disabled | Stopped]) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe (Microsoft Corporation)
SRV - (UMWdf [Auto | Running]) -- C:\WINDOWS\system32\wdfmgr.exe (Microsoft Corporation)
SRV - (WinDefend [Disabled | Stopped]) -- C:\Windows Defender\MsMpEng.exe (Microsoft Corporation)

========== Driver Services (SafeList) ==========

DRV - (aeaudio [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\aeaudio.sys (Andrea Electronics Corporation)
DRV - (aslm75 [Auto | Running]) -- C:\WINDOWS\system32\drivers\aslm75.sys ()
DRV - (DCamUSBCompany [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\p35u.sys (Tekom Technologies, Inc.)
DRV - (FET5X86V [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys (VIA Technologies, Inc. )
DRV - (FETND5BV [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys (VIA Technologies, Inc. )
DRV - (FETNDIS [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\fetnd5.sys (VIA Technologies, Inc. )
DRV - (gameenum [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\gameenum.sys (Microsoft Corporation)
DRV - (giveio [Boot | Running]) -- C:\WINDOWS\system32\giveio.sys ()
DRV - (ms_mpu401 [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\msmpu401.sys (Microsoft Corporation)
DRV - (pdiddcci [On_Demand | Running]) -- C:\WINDOWS\System32\DRIVERS\pdiddcci.sys (Portrait Displays, Inc.)
DRV - (PdiPorts [On_Demand | Running]) -- C:\WINDOWS\System32\Drivers\PdiPorts.sys (Portrait Displays, Inc.)
DRV - (Pivot [System | Running]) -- C:\WINDOWS\System32\drivers\pivot.sys (Portrait Displays, Inc.)
DRV - (pivotmou [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\pivotmou.sys (Portrait Displays, Inc.)
DRV - (Ptilink [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys (Parallel Technologies, Inc.)
DRV - (PxHelp20 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\PxHelp20.sys (Sonic Solutions)
DRV - (SASDIFSV [System | Running]) -- C:\SUPERAntiSpyware\SASDIFSV.SYS (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (SASENUM [On_Demand | Stopped]) -- C:\SUPERAntiSpyware\SASENUM.SYS (SuperAdBlocker, Inc.)
DRV - (SASKUTIL [System | Running]) -- C:\SUPERAntiSpyware\SASKUTIL.sys (SUPERAdBlocker.com and SUPERAntiSpyware.com)
DRV - (Secdrv [On_Demand | Stopped]) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.)
DRV - (smwdm [On_Demand | Running]) -- C:\WINDOWS\system32\drivers\smwdm.sys (Analog Devices, Inc.)
DRV - (speedfan [Boot | Running]) -- C:\WINDOWS\system32\speedfan.sys (Windows ® 2000 DDK provider)
DRV - (viaagp1 [Boot | Running]) -- C:\WINDOWS\system32\DRIVERS\viaagp1.sys (VIA Technologies, Inc.)
DRV - (viagfx [On_Demand | Running]) -- C:\WINDOWS\system32\DRIVERS\vtmini.sys (Copyright © VIA/S3 Graphics, Inc.)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn...st/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn...st/srchasst.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.tigerdirect.com/cgi-bin/Shoppin...p;q=2,%201,%201
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.search.useDBForOrder: true
FF - prefs.js..browser.startup.homepage: "http://www.tigerdirect.com/cgi-bin/ShoppingCart.asp?prchbcart=y&msg=0&q=1,%201,%203,%202,%202,%201,%204"
FF - prefs.js..extensions.enabledItems: anycolor.pavlos256@gmail.com:0.2.6
FF - prefs.js..extensions.enabledItems: {872A1C39-DF0B-4c8b-AD84-12BA24A3B781}:3.10.0.0
FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {20a82645-c095-46ed-80e3-08825760534b}:1.0
FF - prefs.js..extensions.enabledItems: personas@christopher.beard:1.0
FF - prefs.js..extensions.enabledItems: {7E7165E2-0767-448c-852F-5FA8714F2C37}:1.0.1
FF - prefs.js..extensions.enabledItems: {03B08592-E5B4-45ff-A0BE-C1D975458688}:0.6.0.5
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/03 04:30:01 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [2009/04/11 20:29:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\siteranker@siteranker.com: C:\PROGRAM FILES\SITERANKER\FIREFOX\ [2009/05/02 09:11:24 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{872A1C39-DF0B-4c8b-AD84-12BA24A3B781}: C:\PROGRAM FILES\DOUBLED\DESKTOP SMILEY TOOLBAR\3.10.0.11120\FFTOOLBAR [2009/05/02 09:23:23 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\MOZILLA FIREFOX\COMPONENTS [2009/05/13 21:54:18 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\MOZILLA FIREFOX\PLUGINS [2009/05/13 21:54:18 | 00,000,000 | ---D | M]

[2009/03/03 00:25:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Extensions
[2009/03/03 00:25:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/05/21 22:27:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions
[2009/04/07 10:01:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\{03B08592-E5B4-45ff-A0BE-C1D975458688}
[2009/03/15 01:28:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2009/03/12 13:39:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2009/03/15 11:08:44 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}
[2009/04/07 09:38:48 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\anycolor.pavlos256@gmail.com
[2009/05/09 22:38:07 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Elvis\Application Data\mozilla\Firefox\Profiles\0u9fdn78.default\extensions\personas@christopher.beard

O1 HOSTS File: (5397 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 65.75.216.6 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.54 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 15 more lines...
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: () - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\Program Files\SiteRanker\SiteRank.dll (Crawler, LLC)
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O2 - BHO: (Google Dictionary Compression sdch) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.)
O2 - BHO: (System Search Dispatcher) - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.2.0.750\ssd.dll ()
O2 - BHO: () - {DB35C569-5624-4CFC-8043-E5139F55A073} - C:\Program Files\Crawler\Shared\CShared.dll (Crawler.com)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKLM\..\Toolbar: (Desktop Smiley Toolbar) - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\Desktop Smiley Toolbar\3.10.0.11120\stb0.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {00000000-0000-0000-0000-000000000000} - Reg Error: Key error. File not found
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\Desktop Smiley Toolbar\3.10.0.11120\stb0.dll ()
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\ALWILS~1\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\qsb.exe /autorun (Google Inc.)
O4 - HKLM..\Run: [Mirabilis ICQ] C:\ICQ\ICQNet.exe ()
O4 - HKLM..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe ()
O4 - HKCU..\Run: [Advanced SystemCare 3] "C:\Advanced SystemCare 3\AWC.exe" /startup (IObit)
O4 - HKCU..\Run: [ALLUpdate] "C:\ALLPlayer\ALLUpdate.exe" "sleep" ()
O4 - HKCU..\Run: [drvsyskit] C:\Documents and Settings\Elvis\Application Data\drivers\winupgro.exe ()
O4 - HKCU..\Run: [german.exe] C:\WINDOWS\system32\wintems.exe ()
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000 (Microsoft Corporation)
O9 - Extra Button: Crawler Smileys - {16FE352D-F643-4A81-BC61-2C051F3A757D} - C:\Program Files\Crawler\Smileys\CSmileyAX.dll (Crawler.com)
O9 - Extra Button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe (ICQ Inc.)
O9 - Extra 'Tools' menuitem : ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe (ICQ Inc.)
O9 - Extra Button: Crawler eCards - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - C:\Program Files\Crawler\Smileys\CSmileyAX.dll (Crawler.com)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://www.pcpitstop...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft....k/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab (DLM Control)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1236058644531 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} http://support.f-sec...m/ols/fscax.cab (F-Secure Online Scanner 3.3)
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_12)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab (Shockwave Flash Object)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - x-sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll (Google Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\SUPERAntiSpyware\SASWINLO.DLL - C:\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Windows Defender\MpShHook.dll (Microsoft Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/03/03 00:06:27 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2009/03/14 07:55:12 | 00,000,000 | ---D | M] - C:\Autorun -- [ NTFS ]
O32 - AutoRun File - [2007/04/15 05:57:52 | 00,000,025 | -HS- | M] () - C:\autorun.inf -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - * [2009/05/22 16:19:21 | 00,000,000 | ---D | M]

========== Files/Folders - Created Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[13 C:\DOCUME~1\Elvis\Desktop\*.tmp files]
[2009/05/22 16:19:51 | 00,067,667 | ---- | C] () -- C:\WINDOWS\System32\wintems.exe
[2009/05/22 16:19:49 | 01,084,416 | ---- | C] () -- C:\WINDOWS\System32\drivers\down\304343.exe
[2009/05/22 16:19:46 | 00,067,667 | ---- | C] () -- C:\WINDOWS\System32\mdelk.exe
[2009/05/22 16:19:41 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\drivers\down
[2009/05/22 16:18:26 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\DOCUME~1\Elvis\Desktop\OTListIt2.exe
[2009/05/22 16:02:26 | 00,267,612 | ---- | C] () -- C:\DOCUME~1\Elvis\Desktop\Rooter.exe
[2009/05/22 15:31:24 | 00,000,620 | ---- | C] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/22 15:25:07 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\Elvis\Application Data\drivers
[2009/05/22 15:08:47 | 00,117,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\ribbons.scr
[2009/05/22 15:08:37 | 00,117,248 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\Mystify.scr
[2009/05/22 15:08:27 | 00,773,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\bubbles.scr
[2009/05/22 15:08:18 | 01,263,616 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\aurora.scr
[2009/05/22 15:03:41 | 00,000,000 | ---D | C] -- C:\Program Files\Ribbons
[2009/05/22 15:03:41 | 00,000,000 | ---D | C] -- C:\Program Files\Mystify
[2009/05/22 15:03:41 | 00,000,000 | ---D | C] -- C:\Program Files\Bubbles
[2009/05/22 15:03:41 | 00,000,000 | ---D | C] -- C:\Program Files\Aurora
[2009/05/22 15:01:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Ribbons
[2009/05/22 15:01:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Mystify
[2009/05/22 15:01:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Bubbles
[2009/05/22 15:01:09 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Aurora
[2009/05/16 19:49:38 | 00,000,162 | -H-- | C] () -- C:\DOCUME~1\Elvis\Desktop\~$ols And Canned Speeches Exercise.doc
[2009/05/14 17:53:05 | 25,309,75744 | ---- | C] () -- C:\DOCUME~1\Elvis\Desktop\7100.0.090421-1700_x86fre_client_en-us_retail_ultimate-grc1culfrer_en_dvd.iso
[2009/05/13 13:26:26 | 00,000,000 | ---D | C] -- C:\WINDOWS\System32\Adobe
[2009/05/13 09:15:47 | 00,000,000 | ---D | C] -- C:\WINDOWS\VistaMizer
[2009/05/11 18:45:09 | 00,176,640 | ---- | C] () -- C:\DOCUME~1\Elvis\Desktop\Tools And Canned Speeches Exercise.doc
[2009/05/10 12:35:01 | 00,000,000 | ---D | C] -- C:\Advanced SystemCare 3
[2009/05/09 19:32:53 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Elvis\Desktop\Office Xp
[2009/05/05 22:02:26 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Elvis\Application Data\Desktopicon
[2009/05/05 22:02:24 | 00,000,000 | ---D | C] -- C:\Unlocker
[2009/05/05 09:05:31 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Elvis\Application Data\Download Manager
[2009/05/02 09:27:28 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Elvis\Desktop\Picture Inserts
[2009/05/02 09:23:34 | 00,000,000 | ---D | C] -- C:\Program Files\System Search Dispatcher
[2009/05/02 09:23:19 | 00,000,000 | ---D | C] -- C:\Program Files\DoubleD
[2009/05/02 09:22:51 | 00,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}
[2009/05/02 09:22:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Elvis\Application Data\SiteRanker
[2009/05/02 09:11:22 | 00,000,000 | ---D | C] -- C:\Program Files\SiteRanker
[2009/05/02 09:11:14 | 00,000,000 | ---D | C] -- C:\Program Files\Crawler
[2009/04/30 00:48:02 | 00,000,000 | ---D | C] -- C:\WhatsRunning
[2009/04/28 21:52:18 | 00,000,000 | ---D | C] -- C:\SpeedFan
[2009/04/28 21:52:16 | 00,000,045 | ---- | C] () -- C:\WINDOWS\System32\initdebug.nfo
[2009/04/27 09:51:38 | 00,000,000 | ---D | C] -- C:\DOCUME~1\Elvis\Desktop\GTG Files
[2009/04/24 21:12:11 | 00,000,000 | ---D | C] -- C:\EVEREST Home Edition
[2009/03/18 07:56:01 | 00,000,039 | ---- | C] () -- C:\WINDOWS\dellstat.ini
[2009/03/06 04:32:12 | 00,010,382 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/03/06 04:32:12 | 00,000,056 | RHS- | C] () -- C:\WINDOWS\System32\4F3DA9204E.sys
[2009/03/05 22:49:42 | 00,000,252 | ---- | C] () -- C:\WINDOWS\lexstat.ini
[2009/03/05 22:49:07 | 00,040,960 | ---- | C] () -- C:\WINDOWS\System32\lxczvs.dll
[2009/03/05 22:48:39 | 00,000,270 | ---- | C] () -- C:\WINDOWS\System32\lxczcoin.ini
[2009/03/05 09:02:23 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2009/03/03 09:19:29 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009/03/03 08:41:29 | 00,002,304 | ---- | C] () -- C:\WINDOWS\System32\Machnm32.sys
[2009/03/03 00:31:33 | 00,006,272 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASLM75.SYS
[2009/03/03 00:29:26 | 00,003,415 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2009/03/03 00:29:24 | 00,005,824 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2008/11/26 15:28:48 | 00,000,272 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/11/06 11:37:32 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 11:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 11:34:00 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 11:33:02 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/06/04 19:53:33 | 00,143,872 | ---- | C] () -- C:\WINDOWS\System32\swscale-0.dll
[2008/06/04 19:53:32 | 00,032,768 | ---- | C] () -- C:\WINDOWS\System32\postproc-51.dll
[2008/06/04 19:53:29 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\JobS.dll
[2008/06/04 19:53:27 | 00,458,752 | ---- | C] () -- C:\WINDOWS\System32\avformat-51.dll
[2008/06/04 19:53:27 | 00,026,112 | ---- | C] () -- C:\WINDOWS\System32\avutil-49.dll
[2008/06/04 19:53:26 | 06,902,272 | ---- | C] () -- C:\WINDOWS\System32\avcodec-51.dll
[2004/10/26 17:39:05 | 03,375,104 | ---- | C] () -- C:\WINDOWS\System32\qt-mt331.dll
[2004/09/17 18:37:42 | 00,069,632 | ---- | C] () -- C:\WINDOWS\System32\vuins32.dll
[2004/08/04 07:00:00 | 00,000,847 | ---- | C] () -- C:\WINDOWS\win.ini
[2004/08/04 07:00:00 | 00,000,256 | ---- | C] () -- C:\WINDOWS\system.ini
[2003/09/09 16:37:16 | 00,057,344 | ---- | C] () -- C:\WINDOWS\System32\avisynth_c.dll
[2002/10/15 17:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/05/10 20:14:33 | 00,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[1996/04/03 14:33:26 | 00,005,248 | ---- | C] () -- C:\WINDOWS\System32\giveio.sys

========== Files - Modified Within 30 Days ==========

[4 C:\WINDOWS\System32\*.tmp files]
[4 C:\WINDOWS\*.tmp files]
[13 C:\DOCUME~1\Elvis\Desktop\*.tmp files]
[2009/05/22 16:19:51 | 01,084,416 | ---- | M] () -- C:\WINDOWS\System32\drivers\down\304343.exe
[2009/05/22 16:19:44 | 00,067,667 | ---- | M] () -- C:\WINDOWS\System32\wintems.exe
[2009/05/22 16:19:44 | 00,067,667 | ---- | M] () -- C:\WINDOWS\System32\mdelk.exe
[2009/05/22 16:19:27 | 00,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/22 16:19:27 | 00,432,356 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/22 16:19:27 | 00,067,312 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/22 16:18:37 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\DOCUME~1\Elvis\Desktop\OTListIt2.exe
[2009/05/22 16:15:27 | 00,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/22 16:15:13 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Elvis\Local Settings\desktop.ini
[2009/05/22 16:15:10 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/22 16:15:07 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/22 16:02:37 | 00,267,612 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Rooter.exe
[2009/05/22 15:31:24 | 00,000,620 | ---- | M] () -- C:\DOCUME~1\ALLUSE~1\Desktop\SUPERAntiSpyware Free Edition.lnk
[2009/05/22 02:14:10 | 00,000,302 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2009/05/21 15:29:57 | 00,176,640 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Tools And Canned Speeches Exercise.doc
[2009/05/16 22:29:35 | 00,019,936 | ---- | M] () -- C:\Documents and Settings\Elvis\Application Data\GDIPFONTCACHEV1.DAT
[2009/05/16 19:49:38 | 00,000,162 | -H-- | M] () -- C:\DOCUME~1\Elvis\Desktop\~$ols And Canned Speeches Exercise.doc
[2009/05/15 08:54:59 | 00,001,503 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Paint.lnk
[2009/05/15 08:54:59 | 00,000,365 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Download.lnk
[2009/05/14 22:02:37 | 00,000,252 | ---- | M] () -- C:\WINDOWS\lexstat.ini
[2009/05/14 20:57:20 | 25,309,75744 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\7100.0.090421-1700_x86fre_client_en-us_retail_ultimate-grc1culfrer_en_dvd.iso
[2009/05/14 17:44:14 | 00,001,509 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Windows Explorer.lnk
[2009/05/13 15:29:31 | 00,010,382 | -HS- | M] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2009/05/13 09:35:28 | 00,001,486 | ---- | M] () -- C:\DOCUME~1\Elvis\Desktop\Calculator.lnk
[2009/05/13 09:31:49 | 00,000,847 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/05/13 09:31:49 | 00,000,256 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/05/13 09:31:49 | 00,000,210 | -HS- | M] () -- C:\boot.ini
[2009/05/13 09:28:05 | 00,123,728 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2009/05/07 02:16:29 | 24,769,480 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\mrt.exe
[2009/04/28 21:52:18 | 00,000,045 | ---- | M] () -- C:\WINDOWS\System32\initdebug.nfo
< End of report >

#2 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 22 May 2009 - 06:06 PM

First off, this is a big no no, especially from a potential staff member

C:\DOCUME~1\Elvis\Desktop\Office Xp\2003_Windows_XP_Pro_or_Office-XP_keygen_computes_unique_cd-keys.zip

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

#3 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 22 May 2009 - 06:15 PM

It won't run. When I click on the icon I get the following
C:\Documents and Settings\Elvis\Desktop\ComboFix.exe is not a valid Win32 application

This is the same error I get when trying to run Avast, ATF or Super Anti Spyware

I aplogize for the keygen but I didn't realize it was there. Something a child must have gotten with out my knowledge.
It has been deleted and it won't be happening again.

#4 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 22 May 2009 - 06:16 PM

delete it and do this

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".
During the download, rename Combofix to Combo-Fix as follows:
It is important you rename Combofix during the download, but not after.
Please do not rename Combofix to other names, but only to the one indicated.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

#5 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 22 May 2009 - 06:57 PM

ComboFix 09-05-22.05 - Elvis 05/22/2009 19:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2015.1710 [GMT -5:00]
Running from: c:\documents and settings\Elvis\Desktop\Combo-Fix.exe
AV: avast! antivirus 4.8.1335 [VPS 090521-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\allplayer\ALLUpdate.exe
C:\Autorun.inf
c:\documents and settings\Elvis\Application Data\drivers\downld
c:\documents and settings\Elvis\Application Data\drivers\downld\101500.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\104203.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\104718.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\105062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\105656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\107437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\107859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\108015.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\108265.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\109406.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\115062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\115078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\118062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\118937.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\119343.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\119859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\120703.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\121500.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\121859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\122234.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\123890.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\125781.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\126718.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\126734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\127046.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\136734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\137671.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\137875.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\138312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\138375.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\138906.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\139453.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\139890.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\140968.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\141218.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\141453.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\146843.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\149765.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\150312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\152218.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\152796.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\153968.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\154109.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\154265.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\155250.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\167406.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\169203.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\170515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\171625.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\172859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\173312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\184281.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\185812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\188937.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\189328.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\199562.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\212437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\213734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\214843.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\225359.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\226437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\226609.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\226968.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\227906.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\228984.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\235453.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\244187.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\245500.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\246000.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\263171.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\263734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\264750.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\267421.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\267984.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\269984.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\271109.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\271171.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\277750.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\278828.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\279375.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\280343.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\280953.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\281718.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\282000.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\282812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\282984.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\284203.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\285140.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\285906.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\287015.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\287515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\287843.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\287859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\288359.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\296578.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\297296.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\297734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\299078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\313250.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\314078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\314562.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\316421.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\317515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\320078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\320906.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\321125.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\322828.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\323625.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\323656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\325546.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\326515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\330812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\331718.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\332578.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\333015.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\334265.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\334625.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\335375.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\336359.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\338609.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\338812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\341437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\342656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\343828.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\344062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\344750.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\345656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\347343.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\348781.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\348906.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\350625.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\351234.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\351250.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\356812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\357328.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\359500.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\360609.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\361125.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\361437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\361781.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\362062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\362296.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\362765.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\380750.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\473281.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\473578.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\473843.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\473921.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\474203.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\521562.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\522281.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\522312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\540078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\540703.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\540765.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\602515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\603515.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\603687.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\606734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\607453.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\607562.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\614171.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\614609.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\614656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\616609.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\619937.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\621437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\621750.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\622156.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\622625.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\622640.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\624718.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\625187.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\625250.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\628171.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\633000.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\634312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\634484.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\634968.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\635437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\653703.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\654593.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\654812.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\670859.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\671421.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\671843.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\672250.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\673203.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\673406.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\684312.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\685734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\686031.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\686109.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\686531.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\686937.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\687187.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\687343.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\687406.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\692937.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\696953.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\698734.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\699781.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\701015.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\702046.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\702109.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\76453.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\77421.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\88062.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\88468.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\88656.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\89078.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\89671.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\90437.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\90578.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\95343.exe
c:\documents and settings\Elvis\Application Data\drivers\downld\95390.exe
c:\documents and settings\Elvis\Application Data\drivers\srosa2.sys
c:\documents and settings\Elvis\Application Data\drivers\wfsintwq.sys
c:\documents and settings\Elvis\Application Data\drivers\winupgro.exe
c:\documents and settings\Elvis\Application Data\EurekaLog
c:\documents and settings\Elvis\Application Data\m
c:\documents and settings\Elvis\Application Data\m\data.oct
c:\documents and settings\Elvis\Application Data\m\flec006.exe
c:\documents and settings\Elvis\Application Data\m\list.oct
c:\documents and settings\Elvis\Application Data\m\srvlist.oct
c:\progra~1\Crawler\Shared\CShared.dll
c:\program files\INSTALL.LOG
c:\windows\system32\avformat-51.dll
c:\windows\system32\ban_list.txt
c:\windows\system32\mdelk.exe
c:\windows\system32\wintems.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SROSA
-------\Legacy_SROSA
-------\Legacy_SK9OU0S

((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-22 20:53 . 2009-05-22 20:53 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-22 20:25 . 2009-05-23 00:43 -------- d--h--w c:\documents and settings\Elvis\Application Data\drivers
2009-05-22 20:08 . 2006-03-01 10:21 117248 ----a-w c:\windows\system32\ribbons.scr
2009-05-22 20:08 . 2006-03-03 19:42 117248 ----a-w c:\windows\system32\Mystify.scr
2009-05-22 20:08 . 2006-03-01 09:53 773120 ----a-w c:\windows\system32\bubbles.scr
2009-05-22 20:08 . 2006-03-01 10:21 1263616 ----a-w c:\windows\system32\aurora.scr
2009-05-22 20:03 . 2006-03-03 20:52 -------- d-----w c:\program files\Mystify
2009-05-22 20:03 . 2006-03-01 10:37 -------- d-----w c:\program files\Bubbles
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Ribbons
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Aurora
2009-05-22 20:01 . 2006-03-03 20:52 -------- d-----w c:\windows\system32\Mystify
2009-05-22 20:01 . 2006-03-01 10:37 -------- d-----w c:\windows\system32\Bubbles
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Ribbons
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Aurora
2009-05-13 18:29 . 2009-05-13 18:29 839680 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\webplr.exe
2009-05-13 18:29 . 2009-05-13 18:29 28672 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\dvd.dll
2009-05-13 18:29 . 2009-05-13 18:29 148480 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\awiml32.dll
2009-05-13 18:29 . 2009-05-13 18:29 169472 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\js32.dll
2009-05-13 18:29 . 2009-05-13 18:29 150528 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\vct32161.dll
2009-05-13 18:29 . 2009-05-13 18:29 135680 ----a-w c:\documents and settings\Elvis\Application Data\Macromedia\Authorware Web Player\NP32ASW\webplr08\msvcrt.dll
2009-05-13 18:26 . 2009-05-13 18:26 -------- d-----w c:\windows\system32\Adobe
2009-05-13 14:15 . 2009-05-13 14:26 -------- d-----w c:\windows\VistaMizer
2009-05-10 17:35 . 2009-05-23 00:47 -------- d-----w C:\Advanced SystemCare 3
2009-05-06 03:02 . 2009-05-06 03:02 -------- d-----w c:\documents and settings\Elvis\Application Data\Desktopicon
2009-05-06 03:02 . 2009-05-06 03:04 -------- d-----w C:\Unlocker
2009-05-05 14:05 . 2009-05-15 02:01 -------- d-----w c:\documents and settings\Elvis\Application Data\Download Manager
2009-05-03 01:33 . 2009-05-03 01:33 207872 ----a-w c:\documents and settings\Elvis\Application Data\SystemRequirementsLab\SRLProxy_srl_4.dll
2009-05-03 01:33 . 2009-05-03 01:33 207872 ----a-w c:\documents and settings\Elvis\Application Data\SystemRequirementsLab\SRLProxy_srl_3.dll
2009-05-03 01:33 . 2009-05-03 01:33 207872 ----a-w c:\documents and settings\Elvis\Application Data\SystemRequirementsLab\SRLProxy_srl_2.dll
2009-05-03 01:33 . 2009-05-03 01:33 207872 ----a-w c:\documents and settings\Elvis\Application Data\SystemRequirementsLab\SRLProxy_srl_1.dll
2009-05-02 14:23 . 2009-05-02 14:23 -------- d-----w c:\program files\System Search Dispatcher
2009-05-02 14:23 . 2009-03-20 03:31 2981419 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\Setup.exe
2009-05-02 14:23 . 2009-05-02 14:23 -------- d-----w c:\program files\DoubleD
2009-05-02 14:11 . 2009-05-02 14:11 -------- d-----w c:\program files\SiteRanker
2009-05-02 14:11 . 2009-05-02 14:11 -------- d-----w c:\program files\Crawler
2009-04-30 05:48 . 2009-04-30 05:54 -------- d-----w C:\WhatsRunning
2009-04-29 02:52 . 2009-05-18 20:18 -------- d-----w C:\SpeedFan
2009-04-25 02:12 . 2009-05-18 17:45 -------- d-----w C:\EVEREST Home Edition

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 20:29 . 2009-03-06 09:32 10382 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-05-13 20:24 . 2009-03-11 00:03 -------- d-----w c:\documents and settings\Elvis\Application Data\BitZipper
2009-05-03 01:34 . 2009-04-14 07:51 -------- d-----w c:\program files\SystemRequirementsLab
2009-05-03 01:33 . 2009-04-14 07:50 -------- d-----w c:\documents and settings\Elvis\Application Data\SystemRequirementsLab
2009-05-02 14:25 . 2009-03-03 05:54 17856 ----a-w c:\documents and settings\Elvis\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 14:23 . 2009-05-02 14:22 -------- dc-h--w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}
2009-05-02 14:22 . 2009-05-02 14:22 -------- d-----w c:\documents and settings\Elvis\Application Data\SiteRanker
2009-05-01 21:38 . 2009-04-18 14:33 -------- d-----w c:\documents and settings\All Users\Application Data\NOS
2009-05-01 21:38 . 2009-04-18 14:33 -------- d-----w c:\program files\NOS
2009-04-21 00:28 . 2009-04-21 00:27 -------- d-----w c:\program files\Debugging Tools for Windows (x86)
2009-04-18 14:45 . 2009-04-18 14:45 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-18 14:43 . 2009-03-03 13:38 -------- d-----w c:\program files\Common Files\Adobe
2009-04-14 16:19 . 2009-03-03 23:02 -------- d-----w c:\program files\Windows Media Connect 2
2009-04-14 00:39 . 2009-03-03 10:33 4656976 ----a-w c:\documents and settings\All Users\Application Data\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2009-04-12 01:28 . 2009-04-12 01:28 -------- d-----w c:\program files\MSBuild
2009-04-12 01:28 . 2009-04-12 01:28 -------- d-----w c:\program files\Reference Assemblies
2009-04-11 00:18 . 2009-04-11 00:18 -------- d-----w c:\documents and settings\Elvis\Application Data\dvdcss
2009-04-10 21:22 . 2009-04-10 21:22 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-09 16:42 . 2009-04-09 16:42 -------- d-----w c:\program files\MXpie Patch
2009-04-09 11:32 . 2009-04-09 11:32 89088 ----a-w c:\documents and settings\Elvis\Application Data\Desktopicon\eBayShortcuts.exe
2009-04-06 20:32 . 2009-03-03 09:21 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-03-03 09:21 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-05 20:51 . 2009-04-05 20:38 -------- d-----w c:\documents and settings\Elvis\Application Data\vlc
2009-04-04 03:06 . 2009-04-04 03:06 -------- d-----w c:\documents and settings\Elvis\Application Data\Auslogics
2009-03-30 02:06 . 2009-03-30 02:06 -------- d-----w c:\program files\MSN Messenger
2009-03-20 03:31 . 2009-05-02 14:22 262424 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\D5797E3B\3E688669\stbYahoo9.dll
2009-03-20 03:31 . 2009-05-02 14:22 250136 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\6216A4BD\3E688669\stbYahoo8.dll
2009-03-20 03:31 . 2009-05-02 14:22 848152 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\B75FA91E\3E688669\stbsvc.exe
2009-03-20 03:31 . 2009-05-02 14:22 196888 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\mFileBagIDE.dll\bag\stbsh.dll
2009-03-20 03:31 . 2009-05-02 14:22 479512 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\mFileBagIDE.dll\bag\stbpx.exe
2009-03-20 03:31 . 2009-05-02 14:22 225560 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\628759C1\3E688669\stbOLEX.dll
2009-03-20 03:31 . 2009-05-02 14:22 200984 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\A26F7F7\3E688669\stbOL.dll
2009-03-20 03:29 . 2009-05-02 14:22 295896 -c--a-w c:\documents and settings\All Users\Application Data\{1CFDD724-D742-4A0A-A374-89DBFF6ECA5F}\OFFLINE\mFileBagIDE.dll\bag\stbreaim.exe
2009-03-08 09:34 . 2004-08-04 12:00 1016320 ----a-w c:\windows\system32\wininet.dll
2009-03-08 09:34 . 2004-08-04 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 09:33 . 2004-08-04 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 09:33 . 2004-08-04 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 09:32 . 2004-08-04 12:00 107008 ----a-w c:\windows\system32\admparse.dll
2009-03-08 09:32 . 2004-08-04 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 09:31 . 2004-08-04 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 09:31 . 2004-08-04 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 09:31 . 2004-08-04 12:00 94720 ----a-w c:\windows\system32\mshta.exe
2009-03-08 09:22 . 2004-08-04 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 09:33 . 2009-03-06 09:32 56 --sh--r c:\windows\system32\4F3DA9204E.sys
2009-03-05 20:39 . 2009-03-03 09:29 152576 ----a-w c:\documents and settings\Elvis\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-04 18:18 . 2009-03-04 18:17 3 ----a-w c:\windows\sbacknt.bin
2009-03-04 18:16 . 2009-03-04 18:16 152904 ----a-w c:\windows\system32\vghd.scr
2009-03-04 17:41 . 2009-03-04 17:41 40960 ----a-r c:\documents and settings\Elvis\Application Data\Microsoft\Installer\{9E2BAFF1-4FB9-4553-94A4-ED280DE79B23}\NewShortcut1_9E2BAFF14FB9455394A4ED280DE79B23.exe
2009-03-04 17:41 . 2009-03-04 17:41 3774 ----a-r c:\documents and settings\Elvis\Application Data\Microsoft\Installer\{9E2BAFF1-4FB9-4553-94A4-ED280DE79B23}\ARPPRODUCTICON.exe
2009-03-04 11:23 . 2009-03-10 16:18 2653086 -c--a-w c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-03-03 13:41 . 2009-03-03 13:41 62009 ----a-w c:\windows\system32\wpfb_vtdisp.dll
2009-03-03 09:30 . 2009-03-03 09:30 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-03 06:04 . 2009-03-03 05:05 86327 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-03-03 05:25 . 2009-03-03 05:25 0 ----a-w c:\windows\nsreg.dat
2009-03-03 05:02 . 2009-03-03 05:02 21640 ----a-w c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[7] 2004-08-04 12:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2008-04-14 00:12 587264 1F796B640B01A277B463E51CF0D79E10 c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 00:12 587264 1F796B640B01A277B463E51CF0D79E10 c:\windows\system32\user32.dll
[-] 2008-04-14 00:12 587264 1F796B640B01A277B463E51CF0D79E10 c:\windows\system32\dllcache\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\VistaMizer\old\user32.dll

[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\$hf_mig$\KB961260-IE7\SP2QFE\wininet.dll
[7] 2004-08-04 12:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB958215$\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\ie7\wininet.dll
[7] 2007-08-14 00:54 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\ie7updates\KB956390-IE7\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\ie7updates\KB961260-IE7\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\ie8\wininet.dll
[-] 2009-03-08 09:34 1016320 2868B8B04547CAF8B5E6024CAC3DF0FD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-12-20 23:15 826368 A82935D32D0672E8FF4E91AE398E901C c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2GDR\wininet.dll
[7] 2008-12-20 23:56 827904 044E0A4E9FE97C0FB9AFE9C89E2A82E6 c:\windows\SoftwareDistribution\Download\2e4e820fa4f0714d84e95e04fd4b348e\SP2QFE\wininet.dll
[7] 2008-08-26 07:24 826368 EF8EBA98145BFA44E80D17A3B3453300 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2GDR\wininet.dll
[7] 2008-08-26 09:08 827904 77C192FE56A70D7FA0247BA0A6201C32 c:\windows\SoftwareDistribution\Download\5d9d48823dca01f9929a959c29f5edc4\SP2QFE\wininet.dll
[-] 2009-03-08 09:34 1016320 2868B8B04547CAF8B5E6024CAC3DF0FD c:\windows\system32\wininet.dll
[-] 2009-03-08 09:34 1016320 2868B8B04547CAF8B5E6024CAC3DF0FD c:\windows\system32\dllcache\wininet.dll
[7] 2009-03-08 09:34 914944 6CE32F7778061CCC5814D5E0F282D369 c:\windows\VistaMizer\old\wininet.dll

[7] 2004-08-04 12:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[-] 2008-04-14 00:12 547328 A55B8899D2EA2E800061BCFD456E34DC c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2008-04-14 00:12 547328 A55B8899D2EA2E800061BCFD456E34DC c:\windows\system32\winlogon.exe
[-] 2008-04-14 00:12 547328 A55B8899D2EA2E800061BCFD456E34DC c:\windows\system32\dllcache\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\VistaMizer\old\winlogon.exe

[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 21:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2004-08-04 12:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2009-02-08 00:02 2323200 1BEBEC37BB52922CB90632236FEB19D7 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2009-02-08 00:02 2323200 1BEBEC37BB52922CB90632236FEB19D7 c:\windows\system32\ntkrnlpa.exe
[-] 2009-02-08 00:02 2323200 1BEBEC37BB52922CB90632236FEB19D7 c:\windows\system32\dllcache\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\VistaMizer\old\ntkrnlpa.exe

[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 22:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2004-08-04 12:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2009-02-06 11:08 2446208 A653114B58805A0333B8EFD86F831EC4 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[-] 2009-02-06 11:08 2446208 A653114B58805A0333B8EFD86F831EC4 c:\windows\system32\ntoskrnl.exe
[-] 2009-02-06 11:08 2446208 A653114B58805A0333B8EFD86F831EC4 c:\windows\system32\dllcache\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\VistaMizer\old\ntoskrnl.exe

[-] 2008-04-14 00:12 1551872 DCDEAA7B5698587F82C0F6CD7FB71967 c:\windows\explorer.exe
[7] 2004-08-04 12:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtServicePackUninstall$\explorer.exe
[-] 2008-04-14 00:12 1551872 DCDEAA7B5698587F82C0F6CD7FB71967 c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2008-04-14 00:12 1551872 DCDEAA7B5698587F82C0F6CD7FB71967 c:\windows\system32\dllcache\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\VistaMizer\old\explorer.exe

[7] 2004-08-04 12:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[-] 2008-04-14 00:12 25088 B5E8782D4AF1B3756F38E11E7C157BBE c:\windows\ServicePackFiles\i386\ctfmon.exe
[-] 2008-04-14 00:12 25088 B5E8782D4AF1B3756F38E11E7C157BBE c:\windows\system32\ctfmon.exe
[-] 2008-04-14 00:12 25088 B5E8782D4AF1B3756F38E11E7C157BBE c:\windows\system32\dllcache\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\VistaMizer\old\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5}]
2009-04-30 14:14 311808 ----a-w c:\progra~1\SITERA~1\SiteRank.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDBFB47B-58A8-4111-BF95-06178DCE326D}]
2008-11-11 22:33 299240 ----a-w c:\program files\System Search Dispatcher\1.2.0.750\ssd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\superantispyware\SUPERAntiSpyware.exe" [2009-05-23 1830128]
"Advanced SystemCare 3"="c:\advanced systemcare 3\AWC.exe" [2009-05-01 2329936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\alwils~1\Avast4\ashDisp.exe" [2009-05-22 81000]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-03-03 68592]
"Mirabilis ICQ"="c:\icq\ICQNet.exe" [2003-10-14 38984]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 694008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\microsoft office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\superantispyware\SASSEH.DLL" [2009-03-03 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-03 13:52 356352 ----a-w c:\superantispyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R1 SASDIFSV;SASDIFSV;c:\superantispyware\SASDIFSV.SYS [10/10/2006 1:53 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\superantispyware\SASKUTIL.SYS [2/27/2007 12:39 PM 55024]
R3 DCamUSBCompany;P35U Camera Capture;c:\windows\system32\drivers\p35u.sys [3/5/2009 10:38 PM 98272]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys --> c:\windows\system32\DRIVERS\aswFsBlk.sys [?]
S3 SASENUM;SASENUM;c:\superantispyware\SASENUM.SYS [2/16/2006 5:51 PM 4096]
S4 WinDefend;Windows Defender;c:\windows defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\windows defender\MpCmdRun.exe [2006-11-04 01:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DB35C569-5624-4CFC-8043-E5139F55A073} - c:\progra~1\Crawler\Shared\CShared.dll
HKCU-Run-ALLUpdate - c:\allplayer\ALLUpdate.exe
SafeBoot-procexp90.Sys
MSConfigStartUp-CTFMON - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.tigerdirect.com/cgi-bin/ShoppingCart.asp?prchbcart=y&msg=0&q=2,%201,%201
IE: E&xport to Microsoft Excel - c:\micros~1\Office10\EXCEL.EXE/3000
IE: {{16FE352D-F643-4A81-BC61-2C051F3A757D} - {16FE352D-F643-4A81-BC61-2C051F3A757D} - c:\progra~1\Crawler\Smileys\CSMILE~1.DLL
IE: {{82E2B317-7C9C-4F12-B920-AC37D928CD43} - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - c:\progra~1\Crawler\Smileys\CSMILE~1.DLL
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
FF - ProfilePath - c:\documents and settings\Elvis\Application Data\Mozilla\Firefox\Profiles\0u9fdn78.default\
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - hxxp://www.tigerdirect.com/cgi-bin/ShoppingCart.asp?prchbcart=y&msg=0&q=1,%201,%203,%202,%202,%201,%204
FF - component: c:\documents and settings\Elvis\Application Data\Mozilla\Firefox\Profiles\0u9fdn78.default\extensions\{7E7165E2-0767-448c-852F-5FA8714F2C37}\components\PlainOldFavorites.dll
FF - component: c:\program files\DoubleD\Desktop Smiley Toolbar\3.10.0.11120\FFToolbar\components\SmileyCore.dll
FF - plugin: c:\adobe\Acrobat 5.0\Reader\Browser\nppdf32.dll
FF - plugin: c:\adobe\Acrobat 5.0\Reader\browser\nppdf32.dll
FF - plugin: c:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: c:\divx\DivX Web Player\npdivx32.dll
FF - plugin: c:\mozilla firefox\plugins\np32asw.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-22 19:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\ASUS\ASUS Probe\2.20.08]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\ACPI\PNP0F13\3&61aaa01&0\LogConf]
@DACL=(02 0000)
"BasicConfigVector"=hex(a):48,00,00,00,0f,00,00,00,00,00,00,00,00,00,00,00,00,
00,00,00,00,00,00,00,00,00,00,00,01,00,00,00,01,00,01,00,01,00,00,00,00,02,\
"BootConfig"=hex(8):01,00,00,00,0f,00,00,00,00,00,00,00,01,00,01,00,01,00,00,
00,02,01,01,00,0c,00,00,00,0c,00,00,00,ff,ff,ff,ff
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(652)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\sfc_os.dll
c:\superantispyware\SASWINLO.DLL
c:\windows\system32\COMRes.dll
c:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(708)
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\psbase.dll

- - - - - - - > 'explorer.exe'(1168)
c:\windows\system32\SHDOCVW.dll
c:\windows\system32\msctfime.ime
c:\windows\system32\COMRes.dll
c:\windows\System32\cscui.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\MSVCP60.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Portrait Displays\Shared\DTSRVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Portrait Displays\Pivot Software\Floater.exe
.
**************************************************************************
.
Completion time: 2009-05-23 19:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-23 00:54

Pre-Run: 64,705,998,848 bytes free
Post-Run: 64,812,904,448 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

551 --- E O F --- 2009-05-21 15:13

#6 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 22 May 2009 - 06:58 PM

No HJT log in sight.

#7 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 22 May 2009 - 07:53 PM

I downloaded HJT from the download area and here is the report.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:43 PM, on 5/22/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Advanced SystemCare 3\AWC.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\explorer.exe
C:\Mozilla Firefox\firefox.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tigerdirect.com/cgi-bin/Shoppin...p;q=2,%201,%201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11BF46C6-B3DE-48BD-BF70-3AD85CAB80B5} - C:\PROGRA~1\SITERA~1\SiteRank.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.2.0.750\ssd.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Desktop Smiley Toolbar - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\Desktop Smiley Toolbar\3.10.0.11120\stb0.dll
O4 - HKLM\..\Run: [avast!] C:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\qsb.exe /autorun
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Crawler Smileys - {16FE352D-F643-4A81-BC61-2C051F3A757D} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra button: Crawler eCards - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236058644531
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 6393 bytes

#8 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 23 May 2009 - 04:59 AM

Do you recognise these

2009-05-22 20:08 . 2006-03-01 10:21 117248 ----a-w c:\windows\system32\ribbons.scr
2009-05-22 20:08 . 2006-03-03 19:42 117248 ----a-w c:\windows\system32\Mystify.scr
2009-05-22 20:08 . 2006-03-01 09:53 773120 ----a-w c:\windows\system32\bubbles.scr
2009-05-22 20:08 . 2006-03-01 10:21 1263616 ----a-w c:\windows\system32\aurora.scr
2009-05-22 20:03 . 2006-03-03 20:52 -------- d-----w c:\program files\Mystify
2009-05-22 20:03 . 2006-03-01 10:37 -------- d-----w c:\program files\Bubbles
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Ribbons
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Aurora
2009-05-22 20:01 . 2006-03-03 20:52 -------- d-----w c:\windows\system32\Mystify
2009-05-22 20:01 . 2006-03-01 10:37 -------- d-----w c:\windows\system32\Bubbles
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Ribbons
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Aurora

Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Click the Scan button
In the Select Scan dialog, check:
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

Note: The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#9 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 23 May 2009 - 07:06 AM

[quote name='Rorschach112' date='May 23 2009, 05:59 AM' post='1542777']
Do you recognise these

2009-05-22 20:08 . 2006-03-01 10:21 117248 ----a-w c:\windows\system32\ribbons.scr
2009-05-22 20:08 . 2006-03-03 19:42 117248 ----a-w c:\windows\system32\Mystify.scr
2009-05-22 20:08 . 2006-03-01 09:53 773120 ----a-w c:\windows\system32\bubbles.scr
2009-05-22 20:08 . 2006-03-01 10:21 1263616 ----a-w c:\windows\system32\aurora.scr
2009-05-22 20:03 . 2006-03-03 20:52 -------- d-----w c:\program files\Mystify
2009-05-22 20:03 . 2006-03-01 10:37 -------- d-----w c:\program files\Bubbles
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Ribbons
2009-05-22 20:03 . 2006-03-01 10:25 -------- d-----w c:\program files\Aurora
2009-05-22 20:01 . 2006-03-03 20:52 -------- d-----w c:\windows\system32\Mystify
2009-05-22 20:01 . 2006-03-01 10:37 -------- d-----w c:\windows\system32\Bubbles
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Ribbons
2009-05-22 20:01 . 2006-03-01 10:25 -------- d-----w c:\windows\system32\Aurora

These are part of another screen saver package i had found before all this happened. none of them work either. Started scan and letting it run.

#10 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 23 May 2009 - 07:12 AM

Here's the report.

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/05/23 08:02
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB8309000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B9000 Size: 8192 File Visible: No
Status: -

Name: giveio.sys
Image Path: giveio.sys
Address: 0xF7A4F000 Size: 1664 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB33A8000 Size: 45056 File Visible: No
Status: -

Name: speedfan.sys
Image Path: speedfan.sys
Address: 0xF798F000 Size: 5248 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\config\system.LOG
Status: Size mismatch (API: 1024, Raw: 16384)

Path: C:\Documents and Settings\Elvis\Local Settings\temp\etilqs_zpsvjCJ9LygY4CcFH3WB
Status: Allocation size mismatch (API: 65536, Raw: 0)

Path: C:\Documents and Settings\Elvis\Local Settings\Temporary Internet Files\Content.IE5\SXU1Z7D0\adsWrapper[1].js
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Elvis\Local Settings\Temporary Internet Files\Content.IE5\SXU1Z7D0\size=468x60;noperf=1;alias=93175900;kvwm=window;kvmn=93175900;target=_blank;aduho=300;grp=84116
921;misc=84116921[1]
Status: Visible to the Windows API, but not on disk.

Path: C:\Documents and Settings\Elvis\Local Settings\Temporary Internet Files\Content.IE5\U4PDYHNV\adsWrapper[1].js
Status: Visible to the Windows API, but not on disk.

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb83516b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8351574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb8351a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb835114c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb835164e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb835108c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb83510f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb835176e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb835172e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb83518ae

#11 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 23 May 2009 - 07:26 AM

i also wanted to let you know that i uninstalled ATF, Avast and SuperAntiSpyware and then reinstalled them. Now they all work correctly with no error messages.

#12 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 23 May 2009 - 08:06 AM

looking good

Please download ATF Cleaner by Atribune.

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

#13 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 23 May 2009 - 07:32 PM

Here are the logs you requested:

Malwarebytes' Anti-Malware 1.36
Database version: 2167
Windows 5.1.2600 Service Pack 3

5/23/2009 5:53:10 PM
mbam-log-2009-05-23 (17-53-10).txt

Scan type: Quick Scan
Objects scanned: 80967
Time elapsed: 5 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 23, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 23, 2009 21:31:35
Records in database: 2228724
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 46133
Threat name: 4
Infected objects: 21
Suspicious objects: 0
Duration of the scan: 02:03:40

File name / Threat name / Threats count
C:\Documents and Settings\Elvis\DoctorWeb\Quarantine\trz8b3.tmp Infected: Trojan.Win32.Agent2.eit 1
C:\Qoobox\Quarantine\C\ALLPlayer\ALLUpdate.exe.vir Infected: Trojan-Downloader.Win32.Bagle.avt 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\146843.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\184281.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\199562.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\235453.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\284203.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\299078.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\335375.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\361781.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\362765.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\616609.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\628171.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\downld\692937.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\wfsintwq.sys.vir Infected: Trojan-Downloader.Win32.Bagle.avs 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\winupgro.exe.vir Infected: Trojan-Downloader.Win32.Bagle.avt 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\drivers\_wfsintwq_.sys.zip Infected: Trojan-Downloader.Win32.Bagle.avs 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\m\data.oct.vir Infected: Trojan-Downloader.Win32.Bagle.avt 1
C:\Qoobox\Quarantine\C\Documents and Settings\Elvis\Application Data\m\flec006.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mdelk.exe.vir Infected: Email-Worm.Win32.Bagle.of 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wintems.exe.vir Infected: Email-Worm.Win32.Bagle.of 1

The selected area was scanned.

#14 Rorschach112

Group: Retired Staff
Posts: 47,710
Joined: 23-March 07

Posted 24 May 2009 - 06:30 AM

post a new HJT log and tell me how its running

#15 rshaffer61

Group: Moderator
Posts: 32,412
Joined: 28-February 09

Posted 24 May 2009 - 06:40 AM

Everything seems to be working fine now. I got the three programs running again and I don't seem to be having any adverse affects at all. The only question I had on the last logs was the email infections. I have been very careful not to send any emails out and have taken myself way way down on responses on the board since this happened. Here is the new HJT log you requested.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:08 AM, on 5/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Alwil Software\Avast4\aswUpdSv.exe
C:\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Advanced SystemCare 3\AWC.exe
C:\ICQ\ICQ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Alwil Software\Avast4\ashMaiSv.exe
C:\Alwil Software\Avast4\ashWebSv.exe
C:\KeyNote\keynote.exe
C:\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Mozilla Firefox\firefox.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tigerdirect.com/cgi-bin/Shoppin...p;q=2,%201,%201
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O2 - BHO: System Search Dispatcher - {CDBFB47B-58A8-4111-BF95-06178DCE326D} - C:\Program Files\System Search Dispatcher\1.2.0.750\ssd.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Desktop Smiley Toolbar - {5617ECA9-488D-4BA2-8562-9710B9AB78D2} - C:\Program Files\DoubleD\Desktop Smiley Toolbar\3.10.0.11120\stb0.dll
O4 - HKLM\..\Run: [Google Quick Search Box] C:\Program Files\Google\Quick Search Box\qsb.exe /autorun
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [PivotSoftware] C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Advanced SystemCare 3\AWC.exe" /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Crawler Smileys - {16FE352D-F643-4A81-BC61-2C051F3A757D} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\ICQ\ICQ.exe
O9 - Extra button: Crawler eCards - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...t/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1236058644531
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O20 - Winlogon Notify: !SASWinLogon - C:\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

--
End of file - 7026 bytes

Back to Virus, Spyware, Malware Removal

Share this topic:

2 Pages
1
2
→

Please log in to reply

Infection from a screen saver download [Solved] - Geeks to Go Forums