Nasty Virus

jubjub449

Tried Norton, iolo, spyware doctor...

Cannot get rid of Nexplore, STOPzilla popups, missing boot.ini, webpages partially load then quits loading...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:32:51 PM, on 7/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\windows\eHome\ehRecvr.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe
C:\windows\System32\TUProgSt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\windows\System32\svchost.exe
C:\windows\system32\wuauclt.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windowsxlive.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {6b02d315-53c4-47a7-b3c7-edc4a053586c} - C:\windows\system32\jewerari.dll (file missing)
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [iolo AntiVirus] "C:\Program Files\iolo\System Mechanic Professional\AntiVirus\ioloAV.exe"
O4 - HKLM\..\Run: [CPM48deb830] Rundll32.exe "c:\windows\system32\nahilifo.dll",a
O4 - HKLM\..\Run: [tikapibote] Rundll32.exe "C:\windows\system32\kuwotevi.dll",s
O4 - HKLM\..\Run: [combofix] C:\windows\system32\CF30158.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [WindowFX] C:\Program Files\Stardock\Object Desktop\WindowFX\\wfxload.exe
O4 - HKCU\..\Run: [ObjectBar] F:\Program Files\Object Desktop\ObjectBar\ObjectBar.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll,C:\windows\system32\hapoyivu.dll c:\windows\system32\nahilifo.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nahilifo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nahilifo.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\windows\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\windows\System32\TUProgSt.exe

--
End of file - 10902 bytes

chiaz

Hey there, welcome.

Please download Malwarebytes' Anti-Malware by clicking the link below:
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.



Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


Please include the MBAM log, C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

jubjub449

chiaz wrote:

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

Does the guide apply to XP MCE?

chiaz

Read the ComboFix guide I linked to - it says if you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download.

jubjub449

chiaz wrote:

Read the ComboFix guide I linked to - it says if you are using Windows XP Media Center, then you should select the Windows XP Pro Service Pack 2 download.

Thanks, in advance but sadly, even when dragging the file to it, Combofix has an error that says "boot partition cannot be enumerated correctly" followed by a "continue scanning for malware?" Prompt.

jubjub449

Sorry but this is all i have to give for now.

Malwarebytes' Anti-Malware 1.39
Database version: 2452
Windows 5.1.2600 Service Pack 2

7/18/2009 5:03:42 PM
mbam-log-2009-07-18 (17-03-42).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 505650
Time elapsed: 6 hour(s), 15 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 2
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\nahilifo.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\advantage (Adware.Vomba) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm48deb830 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nahilifo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nahilifo.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Advantage (Adware.Advantage) -> Quarantined and deleted successfully.
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Application Data\advantage (Adware.Vomba) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\nahilifo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\documents and settings\matthew.your-727a0a4e7c.001\application data\advantage\AdVantage.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\WINDOWS\system32\msncache.dll.vir (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bfaa719b-281f-45b6-9e39-9d4bb578c2a4}\RP73\A0035133.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bfaa719b-281f-45b6-9e39-9d4bb578c2a4}\RP73\A0035135.exe (Trojan.Mailfinder) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bfaa719b-281f-45b6-9e39-9d4bb578c2a4}\RP73\A0035136.exe (Adware.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bfaa719b-281f-45b6-9e39-9d4bb578c2a4}\RP73\A0035137.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\system volume information\_restore{bfaa719b-281f-45b6-9e39-9d4bb578c2a4}\RP73\A0035294.exe (Adware.Agent) -> Quarantined and deleted successfully.
f:\all old stuff\matthew v\local settings\Temp\exploreexploresetup.exe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\documents and settings\matthew.your-727a0a4e7c.001\application data\advantage\about_AdVantage.mht (Adware.Vomba) -> Quarantined and deleted successfully.
c:\documents and settings\matthew.your-727a0a4e7c.001\application data\advantage\advantage.cfg (Adware.Vomba) -> Quarantined and deleted successfully.
c:\documents and settings\matthew.your-727a0a4e7c.001\application data\advantage\advantage.mht (Adware.Vomba) -> Quarantined and deleted successfully.
c:\WINDOWS\explorer.vbk (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Desktop\explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

chiaz

Thanks, in advance but sadly, even when dragging the file to it, Combofix has an error that says "boot partition cannot be enumerated correctly" followed by a "continue scanning for malware?" Prompt.

Can you follow through with the "continue scanning for malware"?

jubjub449

chiaz wrote:

Can you follow through with the "continue scanning for malware"?

I did, but I can't find the log.

jubjub449

Where does combofix store the log? The program restarted windows without opening a log.
I found a folder in C:\ called qoobox. It seems to be related to Combofix.

chiaz

Yes, but don't touch that qoobox folder first. That will hold the qurantine for any stuff deleted.

The log will be at:
C:\ComboFix.txt

jubjub449

chiaz wrote:

The log will be at:
C:\ComboFix.txt

Um... There is no ComboFix.txt file.

chiaz

Try running ComboFix once more....if the situation remains similar then just post a new HijackThis log and we'll take it from there.

jubjub449

Okay... ComboFix made a log this time.

ComboFix 09-07-19.01 - matthew 07/19/2009 10:46.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.894.375 [GMT -7:00]
Running from: c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: iolo Personal Firewall® *enabled* {38254411-9AEC-4967-913E-F892C2A4DF89}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

---

.
c:\windows\system32\Drivers\awuIcin.sys
c:\windows\system32\mfc45.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Service_rbro


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 17:39 . 2005-01-19 02:15 28672 ----a-w- c:\windows\system32\regclass.dll
2009-07-19 17:39 . 2009-07-19 17:39

---

d

---

w- c:\program files\FirefoxPreloader
2009-07-19 17:32 . 2009-07-19 17:43

---

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-19 17:30 . 2009-07-19 17:30 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-18 09:28 . 2009-07-18 09:28

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Temp
2009-07-18 06:04 . 2009-02-27 10:57 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-18 05:15 . 2009-07-18 05:16

---

d

---

w- c:\program files\Windows Defender
2009-07-18 02:17 . 2009-05-29 22:54 940896 ----a-w- c:\windows\system32\Incinerator.dll
2009-07-18 02:17 . 2007-10-02 19:41 39424 ----a-w- c:\windows\system32\xpacket.sys
2009-07-18 02:17 . 2008-04-17 17:45 9341 ----a-w- c:\windows\system32\drivers\filedisk.sys
2009-07-18 02:17 . 2009-02-17 18:26 8192 ----a-w- c:\windows\system32\smrgdf.exe
2009-07-18 02:17 . 2009-02-17 18:31 28672 ----a-w- c:\windows\system32\iolobtdfg.exe
2009-07-18 02:16 . 2009-07-18 05:03

---

d

---

w- c:\program files\iolo
2009-07-17 22:11 . 2009-07-17 22:11

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Malwarebytes
2009-07-17 22:10 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-17 21:49 . 2009-07-12 08:15 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\Scxpx86.dll
2009-07-17 21:49 . 2009-07-12 08:15 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSXpx86.sys
2009-07-17 21:49 . 2009-07-12 08:15 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSxpx86.dll
2009-07-17 21:49 . 2009-07-12 08:15 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSvix86.sys
2009-07-17 21:49 . 2009-07-12 08:15 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSviA64.sys
2009-07-17 05:20 . 2009-07-17 05:29

---

d

---

w- c:\program files\YouTube Clip Extractor
2009-07-17 05:08 . 2009-07-17 05:08

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Moyea
2009-07-17 05:08 . 2009-07-17 05:08

---

d

---

w- c:\program files\Moyea
2009-07-16 19:03 . 2009-07-12 08:15 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\Scxpx86.dll
2009-07-16 19:03 . 2009-07-12 08:15 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSXpx86.sys
2009-07-16 19:03 . 2009-07-12 08:15 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSxpx86.dll
2009-07-16 19:03 . 2009-07-12 08:15 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSvix86.sys
2009-07-16 19:03 . 2009-07-12 08:15 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090712.001\IDSviA64.sys
2009-07-16 18:46 . 2009-07-18 03:01 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-16 18:46 . 2009-07-18 03:01 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-16 18:46 . 2009-07-18 03:01

---

d

---

w- c:\program files\Symantec
2009-07-16 18:45 . 2009-07-12 08:15 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-16 18:45 . 2009-07-12 08:15 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-16 18:45 . 2009-07-12 08:15 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-16 18:45 . 2009-07-16 18:45 1294680 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-07-16 18:45 . 2009-07-12 08:15 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-16 18:45 . 2009-07-16 18:45 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-07-16 18:45 . 2009-07-12 08:15 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-16 18:44 . 2009-07-16 18:44 791920 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-07-16 18:44 . 2009-07-18 16:56

---

d

---

w- c:\windows\system32\drivers\NAV
2009-07-16 18:44 . 2009-07-16 18:44

---

d

---

w- c:\program files\Norton AntiVirus
2009-07-16 18:44 . 2009-07-16 18:44

---

d

---

w- c:\program files\Windows Sidebar
2009-07-16 18:34 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-16 04:21 . 2009-07-16 04:21

---

d-sh--w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\PrivacIE
2009-07-16 02:06 . 2009-07-16 02:38

---

d

---

w- c:\program files\Nova Development
2009-07-15 20:33 . 2009-07-15 20:34

---

d

---

w- c:\program files\DiscWizard for Windows
2009-07-14 23:09 . 2009-07-14 23:09

---

d

---

w- c:\program files\Trend Micro
2009-07-14 22:56 . 2009-06-02 10:12 102912

---

w- c:\windows\system32\dllcache\iecompat.dll
2009-07-14 01:06 . 2009-07-14 01:06

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\NetMedia Providers
2009-07-13 03:17 . 2009-07-13 03:17 40960 ----a-r- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\WinDlg.exe_0AB76F69E7614CFAB9B0A1906B4E9E4B_3.exe
2009-07-13 03:17 . 2009-07-13 03:17 8854 ----a-r- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\Uninstall_WD_Diagnos_0AB76F69E7614CFAB9B0A1906B4E9E4B.exe
2009-07-13 03:17 . 2009-07-13 03:17 10134 ----a-r- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Microsoft\Installer\{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}\ARPPRODUCTICON.exe
2009-07-10 14:52 . 2000-10-20 08:05 25088 ----a-w- c:\windows\system32\msxml3a.dll
2009-07-10 14:38 . 2009-07-10 14:38

---

d

---

w- c:\program files\Virtual Dimension
2009-07-09 18:09 . 2009-01-09 02:28 278528 ----a-w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\TuneUp Software\TuneUp Utilities\StartUp Manager\Disabled objects\ViClock.exe
2009-07-09 17:38 . 2009-07-16 03:38 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-07-09 17:32 . 2009-07-11 06:39 2374144 ----a-w- c:\windows\system32\TUKernel.exe
2009-07-09 16:00 . 2009-07-09 16:04

---

dc----w- C:\i386
2009-07-09 14:56 . 2009-07-09 16:16

---

dc----w- c:\windows\Super Turbo Tango Patcher
2009-07-09 13:54 . 2009-03-08 11:32 594432 ----a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-07-09 13:54 . 2009-03-08 11:32 1985024 ----a-w- c:\windows\system32\dllcache\iertutil.dll
2009-07-09 13:54 . 2009-03-08 11:31 55296 ----a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-09 13:54 . 2009-04-28 09:05 13824

---

w- c:\windows\system32\dllcache\ieudinit.exe
2009-07-09 13:54 . 2009-03-08 11:31 59904 ----a-w- c:\windows\system32\dllcache\icardie.dll
2009-07-09 13:54 . 2009-03-08 11:11 445952 ----a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-07-09 13:54 . 2009-02-07 04:07 3698584 ----a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-07-09 13:54 . 2009-04-30 21:22 11152896 ----a-w- c:\windows\system32\dllcache\ieframe.dll
2009-07-07 06:11 . 2009-07-09 01:58

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Publish Providers
2009-07-07 06:10 . 2009-07-07 06:10

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Sony
2009-07-07 06:10 . 2009-07-07 06:10

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Sony
2009-07-07 05:58 . 2009-07-07 05:58

---

d

---

w- c:\program files\Sony Setup
2009-07-07 04:56 . 2009-07-07 04:56

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Ulead Systems
2009-07-07 04:46 . 2009-07-07 04:46

---

d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-05 07:50 . 2008-04-02 04:40 209040 ----a-w- c:\windows\system32\IVIresizeW7.dll
2009-07-05 07:50 . 2008-04-02 04:40 192656 ----a-w- c:\windows\system32\IVIresizePX.dll
2009-07-05 07:50 . 2008-04-02 04:40 196752 ----a-w- c:\windows\system32\IVIresizeP6.dll
2009-07-05 07:50 . 2008-04-02 04:40 196752 ----a-w- c:\windows\system32\IVIresizeM6.dll
2009-07-05 07:50 . 2008-04-02 04:40 204944 ----a-w- c:\windows\system32\IVIresizeA6.dll
2009-07-05 07:50 . 2008-04-02 04:40 24720 ----a-w- c:\windows\system32\IVIresize.dll
2009-07-05 07:45 . 2009-07-05 07:47

---

d

---

w- c:\program files\Corel
2009-07-05 07:45 . 2009-07-05 07:45

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\InstallShield
2009-07-05 06:14 . 2009-07-10 14:54

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Stardock
2009-07-04 23:15 . 2009-07-07 04:55

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\MixenSoft_WBINC
2009-07-04 23:07 . 2005-05-18 18:43 81920 ----a-w- c:\windows\system32\CloseApp.exe
2009-07-04 22:08 . 2009-07-04 22:08

---

d

---

w- c:\program files\Tweak Manager
2009-07-04 22:02 . 2009-07-04 22:02 1011 ----a-w- c:\windows\system32\unins000.dat
2009-07-04 22:02 . 2009-07-04 22:02 702233 ----a-w- c:\windows\system32\unins000.exe
2009-07-04 22:02 . 2003-06-25 23:05 266360 ----a-w- c:\windows\system32\TweakUI.exe
2009-07-04 21:49 . 2009-07-04 21:49

---

d

---

w- c:\program files\AVI GIF Converter
2009-07-04 18:07 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\drivers\bthport.sys
2009-07-04 18:07 . 2008-06-13 13:10 272128

---

w- c:\windows\system32\dllcache\bthport.sys
2009-07-04 07:28 . 2009-07-04 22:41

---

d

---

w- c:\program files\Liberty BASIC v4.03
2009-07-04 07:25 . 2009-07-04 07:25

---

dc----w- C:\thinBasic
2009-07-04 06:12 . 2008-07-11 00:28 50200 ----a-w- c:\windows\system32\perf-SQLAgent$SQLEXPRESS-sqlagtctr10.0.1600.22.dll
2009-07-04 06:11 . 2008-07-11 00:28 79896 ----a-w- c:\windows\system32\perf-MSSQL$SQLEXPRESS-sqlctr10.0.1600.22.dll
2009-07-04 06:10 . 2009-07-04 06:10

---

d

---

w- c:\windows\system32\RsFx
2009-07-04 05:55 . 2009-07-04 05:55

---

d

---

w- c:\program files\Microsoft Synchronization Services
2009-07-04 05:52 . 2009-07-04 05:52

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Microsoft Help
2009-07-04 04:11 . 2009-07-04 07:27

---

d

---

w- c:\program files\Liberty BASIC v4.0
2009-07-03 23:47 . 2009-07-03 23:47

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Nuance
2009-07-03 23:39 . 2009-07-03 23:39

---

d

---

w- c:\program files\Common Files\Scansoft Shared
2009-07-03 02:40 . 2009-07-03 02:40

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Xenocode
2009-07-03 02:40 . 2009-07-03 02:40

---

d

---

w- c:\program files\Common Files\DeskShare Shared
2009-07-03 02:40 . 2009-07-03 02:40

---

d

---

w- c:\program files\Deskshare
2009-07-03 02:38 . 2009-07-03 02:38

---

d

---

w- c:\program files\ATTNaturalVoices
2009-07-03 02:31 . 2009-07-03 02:37

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\GetRightToGo
2009-07-03 01:16 . 2009-07-03 01:16

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\RapidSolution
2009-07-03 00:01 . 2009-07-03 00:56

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Tunebite
2009-07-02 23:57 . 2009-07-02 23:57 2723264 ----a-w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\RapidSolution Software AG\Tunebite\install\vcredist_x86.exe
2009-07-02 23:57 . 2009-07-02 23:57

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\RapidSolution Software AG
2009-07-02 16:40 . 2009-07-05 06:23

---

d

---

w- c:\program files\AveDesk
2009-07-02 16:35 . 2000-05-17 16:52 187392 ----a-w- c:\windows\system32\JPGUtils.dll
2009-07-02 06:03 . 2009-07-02 06:03

---

d

---

w- c:\program files\Common Files\DVDVideoSoft
2009-07-02 06:03 . 2009-07-02 06:03

---

d

---

w- c:\program files\DVDVideoSoft
2009-07-02 05:24 . 2009-07-02 05:24 65536 ----a-w- c:\windows\IFinst27.exe
2009-07-02 04:05 . 2009-07-02 04:05

---

d

---

w- c:\program files\ViOrb
2009-07-02 03:50 . 2009-07-02 03:51

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\ViStart
2009-07-02 03:45 . 2009-07-09 16:16

---

d

---

w- c:\program files\ViStart
2009-07-02 03:45 . 2009-07-05 01:10

---

d

---

w- c:\program files\Vista Rainbar
2009-07-02 03:45 . 2009-07-02 03:45

---

d

---

w- c:\program files\LClock
2009-07-02 03:45 . 2009-07-02 03:45

---

d

---

w- c:\program files\Vista Drive Icon
2009-07-02 03:45 . 2007-04-15 08:32 7333376 ----a-w- c:\windows\system32\vistaui.exe
2009-07-02 03:45 . 2006-12-11 08:15 907776 ----a-w- c:\windows\system32\logon.scr
2009-07-02 03:40 . 2009-07-02 03:40

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Styler
2009-07-02 03:38 . 2009-07-07 04:44

---

d

---

w- c:\windows\system32\VIRepair

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 17:31 . 2007-10-26 18:41

---

d

---

w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-07-19 17:31 . 2006-06-19 08:47

---

d

---

w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-19 17:29 . 2009-06-14 03:56

---

d

---

w- c:\program files\Spyware Doctor
2009-07-19 17:17 . 2009-05-09 16:23

---

d

---

w- c:\documents and settings\All Users\Application Data\MAGIX
2009-07-19 17:15 . 2009-07-19 04:13

---

d

---

w- c:\documents and settings\All Users\Application Data\iolo
2009-07-19 06:10 . 2009-06-14 04:13

---

d

---

w- c:\program files\Common Files\PC Tools
2009-07-19 06:08 . 2009-07-19 06:08

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\PC Tools
2009-07-18 07:02 . 2009-03-02 01:54

---

d

---

w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-18 07:02 . 2007-03-03 00:19

---

d

---

w- c:\documents and settings\LocalService\Application Data\Symantec
2009-07-18 03:01 . 2009-07-16 18:46 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-18 03:01 . 2009-07-16 18:46 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-17 22:11 . 2009-06-13 20:16

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-07-17 21:46 . 2006-06-19 08:47

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-07-16 19:43 . 2009-06-16 08:18 248840 ----a-w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-16 18:44 . 2008-12-28 00:53

---

d

---

w- c:\documents and settings\All Users\Application Data\Norton
2009-07-16 18:43 . 2009-05-23 14:54

---

d

---

w- c:\program files\NortonInstaller
2009-07-15 20:33 . 2006-06-19 08:04

---

d--h--w- c:\program files\InstallShield Installation Information
2009-07-15 08:00 . 2009-07-19 17:15 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\NAVENG.SYS
2009-07-15 08:00 . 2009-07-19 17:15 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\NAVEX15.SYS
2009-07-15 08:00 . 2009-07-19 17:15 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\NAVENG32.DLL
2009-07-15 08:00 . 2009-07-19 17:15 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\NAVEX32A.DLL
2009-07-15 08:00 . 2009-07-19 17:15 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\EECTRL.SYS
2009-07-15 08:00 . 2009-07-19 17:15 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\ERASER.SYS
2009-07-15 08:00 . 2009-07-19 17:15 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\ECMSVR32.DLL
2009-07-15 08:00 . 2009-07-19 17:15 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090719.004\CCERASER.DLL
2009-07-10 15:41 . 2004-08-10 15:00 4193280 ----a-w- c:\windows\system32\logonuiX.exe
2009-07-10 14:53 . 2008-07-31 22:10

---

d

---

w- c:\program files\Object Desktop
2009-07-07 06:00 . 2008-08-29 19:45

---

d

---

w- c:\program files\Sony
2009-07-07 04:41 . 2009-07-07 04:41 8 ----a-w- c:\program files\fkjudx.txt
2009-07-05 06:23 . 2008-09-13 04:12

---

d

---

w- c:\program files\SearchSpy
2009-07-05 06:23 . 2009-06-09 19:12

---

d

---

w- c:\program files\Setup NetZero
2009-07-05 06:23 . 2006-06-19 08:23

---

d

---

w- c:\program files\RGB
2009-07-05 01:53 . 2009-07-04 01:36 1595 ----a-w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\SAS7_000.DAT
2009-07-04 18:12 . 2008-10-27 20:36

---

d

---

w- c:\program files\Common Files\Stardock
2009-07-04 18:12 . 2009-05-17 03:03

---

d

---

w- c:\program files\Stardock
2009-07-04 06:10 . 2008-08-31 20:09

---

d

---

w- c:\program files\Microsoft SQL Server
2009-07-04 06:08 . 2007-10-06 20:18

---

d

---

w- c:\program files\Microsoft.NET
2009-07-04 05:32 . 2008-10-26 16:31

---

d

---

w- c:\program files\PC-Doctor for Windows
2009-07-04 05:27 . 2008-10-27 20:40

---

d

---

w- c:\program files\Articulate
2009-07-03 01:11 . 2008-07-20 23:39

---

d

---

w- c:\program files\PixiePack Codec Pack
2009-07-02 03:45 . 2007-10-24 20:56

---

d

---

w- c:\program files\Styler
2009-07-02 03:36 . 2007-12-26 20:04

---

d

---

w- c:\program files\WinFlip
2009-07-02 02:12 . 2008-10-21 02:41

---

d

---

w- c:\program files\Microsoft Silverlight
2009-06-30 21:07 . 2009-06-19 07:58

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\U3
2009-06-28 21:35 . 2008-10-27 20:35

---

d

---

w- c:\program files\coolpro2
2009-06-26 00:39 . 2009-04-07 19:13

---

d

---

w- c:\program files\TuneUp Utilities 2009
2009-06-25 18:42 . 2009-06-25 18:39

---

d

---

w- c:\program files\K-Lite Codec Pack
2009-06-25 16:48 . 2008-12-12 04:00

---

d

---

w- c:\program files\K-Meleon
2009-06-25 16:48 . 2009-03-04 16:07

---

d

---

w- c:\program files\WinImage
2009-06-24 22:59 . 2008-06-08 01:15

---

d

---

w- c:\program files\iTunes
2009-06-24 22:55 . 2008-08-16 22:09

---

d

---

w- c:\program files\QuickTime
2009-06-24 04:11 . 2007-07-21 21:12 10177 ----a-w- c:\windows\mozver.dat
2009-06-20 23:17 . 2008-10-27 20:38

---

d

---

w- c:\program files\Common Files\Adobe
2009-06-20 16:32 . 2009-01-19 19:34

---

d

---

w- c:\program files\Real Alternative
2009-06-20 06:49 . 2008-09-22 02:58

---

d

---

w- c:\program files\Paint.NET
2009-06-20 05:20 . 2009-05-31 02:34

---

d

---

w- c:\program files\Microsoft LifeCam
2009-06-19 18:02 . 2009-06-19 18:02 40960 ----a-r- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Microsoft\Installer\{AE98861E-5D55-4787-9E18-6A054783D124}\NewShortcut1.exe
2009-06-19 18:02 . 2009-06-19 18:02 40960 ----a-r- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Microsoft\Installer\{AE98861E-5D55-4787-9E18-6A054783D124}\alch3d.exe
2009-06-19 05:41 . 2009-06-19 04:59

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\vlc
2009-06-19 05:02 . 2009-06-19 05:00

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\dvdcss
2009-06-19 04:51 . 2009-06-19 04:51

---

d

---

w- c:\program files\VideoLAN
2009-06-18 03:25 . 2009-06-18 03:25

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Netscape
2009-06-16 19:42 . 2009-06-16 19:42

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Media Player Classic
2009-06-16 19:23 . 2009-06-16 08:18 150 ----a-w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\fusioncache.dat
2009-06-16 08:19 . 2009-06-16 08:18

---

d

---

w- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\K-Meleon
2009-06-16 08:08 . 2006-06-19 08:04

---

d

---

w- c:\program files\HPQ
2009-06-16 07:08 . 2006-06-19 08:55

---

d

---

w- c:\program files\Quickensetup
2009-06-16 07:08 . 2006-06-19 08:55

---

d

---

w- c:\program files\Quicken
2009-06-16 07:05 . 2006-06-19 08:54

---

d

---

w- c:\program files\music_now
2009-06-16 07:05 . 2006-06-19 08:29

---

d

---

w- c:\program files\MSN Encarta Plus
2009-06-16 07:05 . 2006-06-19 08:29

---

d

---

w- c:\program files\Microsoft Works
2009-06-16 07:04 . 2006-06-19 08:35

---

d

---

w- c:\program files\Microsoft Office Trial Wizard
2009-06-16 07:03 . 2006-06-19 08:46

---

d

---

w- c:\program files\HP Rhapsody
2009-06-16 07:00 . 2006-06-19 08:52

---

d

---

w- c:\program files\Google
2009-06-16 07:00 . 2006-06-19 08:20

---

d

---

w- c:\program files\GemMaster
2009-06-16 07:00 . 2006-06-19 08:20

---

d

---

w- c:\program files\ESPNMotion
2009-06-16 07:00 . 2006-06-19 08:20

---

d

---

w- c:\program files\EnglishOtto
2009-06-16 07:00 . 2006-06-19 08:20

---

d

---

w- c:\program files\DIGStream
2009-06-16 06:59 . 2006-06-19 08:36

---

d

---

w- c:\program files\Common Files\SureThing Shared
2009-06-16 06:59 . 2006-06-19 08:16

---

d

---

w- c:\program files\Common Files\Sonic Shared
2009-06-16 06:59 . 2006-06-19 08:55

---

d

---

w- c:\program files\Common Files\Palo Alto Software
2009-06-16 06:58 . 2006-06-19 08:58

---

d

---

w- c:\program files\Common Files\LightScribe
2009-06-16 06:48 . 2009-06-16 08:16

---

d

---

w- c:\windows\system32\config\systemprofile\Application Data\Symantec
2009-06-14 04:11 . 2008-10-27 04:31

---

d

---

w- c:\program files\Spyware Doctor(2)
2009-06-10 18:44 . 2009-06-10 17:58

---

d

---

w- c:\program files\Face-OP 2.0
2009-06-10 17:58 . 2009-06-10 17:58 72192 ----a-w- c:\windows\cadkasdeinst01e.exe
2009-06-10 02:35 . 2009-06-10 02:35

---

d

---

w- c:\program files\DVD Decrypter
2009-06-09 19:24 . 2009-06-09 19:24

---

d

---

w- c:\program files\Common Files\Fellowes
2009-06-09 19:17 . 2009-06-09 19:17

---

d

---

w- c:\program files\Pinnacle
2009-06-09 19:17 . 2009-06-09 19:17 2423 ----a-w- c:\windows\NewRecorder.reg
2009-06-09 19:17 . 2009-06-09 19:17 1866853 ----a-w- c:\windows\Recorder.reg
2009-05-31 05:26 . 2009-05-31 05:09

---

d

---

w- c:\program files\Nero
2009-05-31 05:26 . 2009-05-31 05:25

---

d

---

w- c:\program files\Common Files\Ahead
2009-05-31 04:18 . 2009-05-24 19:25

---

d

---

w- c:\program files\Virtual CD v9
2009-05-31 03:00 . 2009-05-31 03:00

---

d

---

w- c:\program files\Summitsoft
2009-05-30 16:41 . 2009-05-27 14:33

---

d

---

w- c:\program files\Alex Text Editor
2009-05-30 16:41 . 2008-10-27 20:40

---

d

---

w- c:\program files\AIM
2009-05-29 21:37 . 2009-06-25 18:39 205824 ----a-w- c:\windows\system32\xvidvfw.dll
2009-05-29 21:31 . 2009-06-25 18:39 881664 ----a-w- c:\windows\system32\xvidcore.dll
2009-05-27 22:23 . 2009-05-27 22:23

---

d

---

w- c:\program files\DeskSpace
2009-06-25 00:11 . 2009-06-25 00:11 227696 ----a-w- c:\program files\mozilla firefox\components\AdVComponent.dll
2009-07-04 22:09 . 2009-06-24 21:17 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2008-08-26 20:49 . 2008-08-26 20:49 133120 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2009-04-12 01:18 . 2009-04-12 01:18 48640 --sha-w- c:\windows\system32\fugodalo.dll.tmp
2009-04-12 01:18 . 2009-04-12 01:18 48640 --sha-w- c:\windows\system32\laberozo.dll.tmp
2009-04-12 01:18 . 2009-04-12 01:18 48640 --sha-w- c:\windows\system32\mirikiri.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-06-16 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"1A:Stardock TrayMonitor"="c:\program files\Common Files\stardock\TrayServer.exe" [2003-02-14 81920]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-09-28 344064]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2005-12-12 94208]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2005-12-22 405504]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-12-14 507904]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LogonStudio"="c:\program files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-19 729178]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"DrvIcon"="c:\program files\Vista Drive Icon\DrvIcon.exe" [2008-04-14 49152]
"iolo Personal Firewall"="c:\program files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe" [2009-05-13 1322848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Firefox Preloader.lnk - c:\program files\FirefoxPreloader\FirefoxPreloader.exe [2009-7-19 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 23:13 49152 ----a-w- c:\program files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2009-07-02 02:09 210168 ----a-w- c:\program files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=&quot;"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=&quot;"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@=&quot;FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@=&quot;Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^reico.bat]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\reico.bat
backup=c:\windows\pss\reico.batCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^matthew.YOUR-727A0A4E7C.001^Start Menu^Programs^Startup^ViClock.exe]
path=c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Start Menu\Programs\Startup\ViClock.exe
backup=c:\windows\pss\ViClock.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^matthew.YOUR-727A0A4E7C.001^Start Menu^Programs^Startup^WinFlip.lnk]
path=c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Start Menu\Programs\Startup\WinFlip.lnk
backup=c:\windows\pss\WinFlip.lnkStartup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"AdVantage"=c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\advantage\AdVantage.exe
"SeaMonkey Quick Launch"="c:\program files\mozilla.org\SeaMonkey\SeaMonkey.exe" -turbo
"Style Change Application"=c:\program files\Styler\Styler.exe
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" -lang 1033 -noicon

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DNS7reminder"="f:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "f:\program files\Nuance\NaturallySpeaking9\Program\ereg.ini"
"UVS12 Preload"=c:\program files\Corel\Corel VideoStudio 12\uvPL.exe
"DrvIcon"=c:\program files\Vista Drive Icon\DrvIcon.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"tikapibote"=Rundll32.exe "c:\windows\system32\kuwotevi.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iolo\\System Mechanic Professional\\Personal Firewall\\ioloFW.exe"=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [7/17/2009 8:01 PM 310320]
R0 XPacket;iolo Personal Firewall Driver;c:\windows\system32\xpacket.sys [7/17/2009 7:17 PM 39424]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [7/17/2009 8:01 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [7/17/2009 7:46 PM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090715.003\IDSXpx86.sys [7/17/2009 2:49 PM 276344]
R2 Cepstral License Server;Cepstral License Server;c:\program files\Cepstral\bin\CepstralLicSrv.exe [3/15/2007 1:54 PM 57344]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7/17/2009 7:17 PM 600944]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\Common\Lib\ioloServiceManager.exe [7/17/2009 7:17 PM 600944]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [7/17/2009 7:47 PM 115560]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [6/25/2009 5:39 PM 604416]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/17/2009 2:50 PM 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [8/22/2005 2:06 AM 231424]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/1/2009 6:27 PM 234888]
S3 PL-40R;CASIO USB MIDI;c:\windows\system32\drivers\pl40rwdm.sys [6/27/2009 6:19 PM 18048]
S3 SaiH0109;SaiH0109;c:\windows\system32\drivers\SaiH0109.sys [5/1/2007 3:45 PM 132232]
S3 SaiU0109;SaiU0109;c:\windows\system32\drivers\SaiU0109.sys [5/1/2007 3:45 PM 28416]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [6/13/2009 8:56 PM 348752]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 5:28 PM 47128]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 5:28 PM 369688]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-19 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-04-27 22:37]

2009-07-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2726749675-3212046506-605393055-1005.job
- c:\documents and settings\Monkey!\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-01 22:14]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2941088980-1624525114-3817678198-1005Core.job
- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 21:21]

2009-07-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2941088980-1624525114-3817678198-1005UA.job
- c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-06-16 21:21]

2009-06-27 c:\windows\Tasks\Maintenance en 1 clic.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2006-12-20 00:53]

2009-07-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6b02d315-53c4-47a7-b3c7-edc4a053586c} - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKLM-Run-CPM48deb830 - c:\windows\system32\nahilifo.dll


.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\Google\GoogleToolbar1.dll/cmwordtrans.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
IE: {{8b745d49-2dad-4338-b090-8f9b1e02a7f8} - c:\program files\YouTube Clip Extractor\ClipExtractor.exe
LSP: c:\program files\iolo\Common\Firewall\iFW_Xfilter.dll
FF - ProfilePath - c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Mozilla\Firefox\Profiles\cc109t13.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2326092&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://heliumboy.webs.com/
FF - prefs.js: keyword.URL - hxxp://search.freecause.com/search?fr=freecause&ourmark=3&type=60655&p=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Mozilla\Firefox\Profiles\cc109t13.default\extensions\{0141db0d-d129-4511-9916-af110cfffe75}\components\Engine.dll
FF - component: c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Application Data\Mozilla\Firefox\Profiles\cc109t13.default\extensions\{f4c71234-2827-4f35-b638-bc059dc6df82}\components\FFExternalAlert.dll
FF - component: c:\program files\Mozilla Firefox\components\AdVComponent.dll
FF - plugin: c:\documents and settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
.

---

File Associations

---

.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 11:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-2941088980-1624525114-3817678198-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.

---

DLLs Loaded Under Running Processes

---

- - - - - - - > 'winlogon.exe'(1776)
c:\windows\system32\Ati2evxx.dll
c:\program files\Common Files\Stardock\mcpstub.dll
c:\windows\system32\cscui.dll
c:\program files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll

- - - - - - - > 'explorer.exe'(4660)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\progra~1\COMMON~1\Stardock\MCPCore.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\SETUPAPI.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Stardock\Object Desktop\IconPackager\iprepair.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\NETSHELL.dll
c:\windows\system32\credui.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-07-19 11:29
ComboFix-quarantined-files.txt 2009-07-19 18:29

Pre-Run: 4,618,547,200 bytes free
Post-Run: 4,636,860,416 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
520 --- E O F --- 2009-07-14 22:57

jubjub449

HJT seems to be having trouble, and it has an error:

Error Details:

An unexpected error has occurred at procedure: modRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)
Error#5 - Invalid procedure call or argument

Windows version: Windows NT 5.01.2600
MSIE version: 8.0.6001.18702
HijackThis version: 2.0.2


It managed to post a log, though.

---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:27 AM, on 7/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Common Files\Stardock\SDMCP.exe
C:\windows\system32\Ati2evxx.exe
C:\Program Files\Common Files\stardock\TrayServer.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
C:\windows\eHome\ehRecvr.exe
C:\Program Files\Vista Drive Icon\DrvIcon.exe
C:\windows\eHome\ehSched.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe
C:\windows\System32\TUProgSt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE
C:\windows\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\wuauclt.exe
C:\windows\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://toolbar.ask.com/toolbarv/askRedirect?o=13917&gct=&gc=1&q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Tunebite_WebRipPlugin Class - {AA102584-3B97-47e7-B9BC-75D54C110A7D} - C:\Program Files\RapidSolution\Tunebite\plugins\IE\TB_WebRipIePlugin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\stardock\TrayServer.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DrvIcon] C:\Program Files\Vista Drive Icon\DrvIcon.exe
O4 - HKLM\..\Run: [iolo Personal Firewall] "C:\Program Files\iolo\System Mechanic Professional\Personal Firewall\ioloFW.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\matthew.YOUR-727A0A4E7C.001\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Download with YouTube Clip Extractor - {8b745d49-2dad-4338-b090-8f9b1e02a7f8} - C:\Program Files\YouTube Clip Extractor\ClipExtractor.exe
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cepstral License Server - Cepstral, LLC - C:\Program Files\Cepstral\bin\CepstralLicSrv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\windows\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\windows\System32\TUProgSt.exe

--
End of file - 10065 bytes

chiaz

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below.


First,
Go to http://virusscan.jotti.org , click on Browse, and upload the following files for analysis: You will only be able to have one file scanned at a time.

c:\windows\system32\smrgdf.exe
c:\windows\system32\iolobtdfg.exe
c:\windows\system32\JPGUtils.dll
c:\windows\IFinst27.exe
c:\program files\fkjudx.txt
c:\documents and settings\All Users\Start Menu\Programs\Startup\reico.bat


Then click Submit. Allow the files to be scanned individually, and then please Copy/Paste the results here for me to see.

If Jotti is busy, please go to http://www.virustotal.com.


===============================================================


Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KILLALL::

File::
c:\windows\system32\fugodalo.dll.tmp
c:\windows\system32\laberozo.dll.tmp
c:\windows\system32\mirikiri.dll.tmp
c:\windows\system32\kuwotevi.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"tikapibote"=-

Dirlook::
c:\program files\SearchSpy
c:\program files\coolpro2

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

jubjub449

The first four files came up clean, but I can't seem to find reico.bat, which rebuilds the icon cache as far as i know.

ComboFix again restarted the computer before it created a log file.

At this point, should I run ComboFix.exe again?

Thanks for all your help so far. The virus seems to have disappeared.

chiaz

ComboFix again restarted the computer before it created a log file.

Can I see this logfile please?

jubjub449

chiaz wrote:

Can I see this logfile please?

I didn't seem to mention that it was like last time I ran ComboFix, when it wasn't able to create a log.

chiaz

OK, let's have you run ComboFix again. Post the new log in your reply.

jubjub449

chiaz wrote:

OK, let's have you run ComboFix again. Post the new log in your reply.

Dragging CFScript over it again?

chiaz

Just double-click on the ComboFix.exe.

Katana

Whilst we appreciate that you may be busy, it has been 5 days or more since we heard from you. This topic is now closed.

Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead