Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Am i still infected?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Am i still infected?

Unread postby BillyC » June 29th, 2009, 8:32 am

Hello Everybody,

I have finally got rid of a persistent Trojan infection. My machine had slowed to a virtual crawl, my home page was changed, and i couls not access some security tools in normal mode. I used Spybot, Ad-Aware, Avg, Malwarebytes AntiMalware, SuperAntiSpyware and Spyware Doctor. I used all of these tools in both safe mode and normal mode. My PC is working much better now, but i feel i have a bit more to do to clean it completely, could you please help.

My HJT log taken in safe mode is below

Thank You
BillyC

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:15, on 29/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie/
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8041 bytes
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top
Advertisement
Register to Remove

Re: Am i still infected?

Unread postby MWR 3 day Mod » July 2nd, 2009, 3:11 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 3rd, 2009, 3:04 am

Hello & Welcome to Malware Removal

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this ensure Notify me when a reply is postedis ticked on the POST A REPLY page.

In the meantime please note the following:
  • Any recommendations made are for your computer problems only and should NOT be used on any other computer.
  • Please DO NOT run any scans/tools or other fixes unless I ask you to. This is very important for several reasons. Here are just two of them:
    1. The tools that we use are very powerful and can cause >>irreparable damage<< to your computer if not used correctly.
    2. Commercial scanners, for the most part can not completely remove some of the more "resistant" infections. This makes it much more difficult to get rid of completely.
  • If you get stuck or are unsure of something please ask for a further explanation, do not guess.
  • It will require more than one round to properly clean your system. Continue to respond to this thread until I give you the All Clean! even if symptoms seemingly abate.
Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave & if there is no contact for that amount of time I will have to assume you have abandoned your topic.

Please run the following in Normal Mode if possible.

DDS
Download DDS.scr by sUBs from one of the following links & save it to your desktop.
Link 1
Link 2
  • Double-Click on dds.scr and a command window will appear. This is normal
  • Shortly after two logs will appear, DDS.txt & Attach.txt
  • A window will open instructing you save & post the logs
  • Save the logs to a convenient place such as your desktop
  • Copy the contents of both logs & post in your next reply
Gmer
Download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO

    Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
  • Save it where you can easily find it, such as your desktop, and post it in reply
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Note: Do not run any programs while Gmer is running.

To post in next reply:
Contents of DDS log
Contents of Attach.txt
Contents of Gmer log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 3rd, 2009, 6:00 am

Hi JMW3

Thank you for helping me. I have pasted the logs you requested below.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Billy Corcoran at 10:44:49.96 on 03/07/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2047.1376 [GMT 1:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Billy Corcoran\Desktop\CleanUp\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.ie/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program

files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SpywareGuardDLBLOCK.CBrowserHelper: {4a368e80-174f-4872-96b5-0b27ddd11db2} - c:\program files\spywareguard\dlprotect.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft

shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program

files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vsc32cnf.exe] c:\program files\roland\vsc32\vsc32cnf.exe
mRun: [vscvol.exe] c:\program files\roland\vsc32\vscvol.exe
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ThreatFire] c:\program files\threatfire\TFTray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\billyc~1\startm~1\programs\startup\spywareguard.lnk - c:\program files\spywareguard\sgmain.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\usb f5d7050\wireless

utility\Belkinwcui.exe
IE: E&xport to Microsoft Excel - c:\progra~1\microsoft office\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft

office\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} -

hxxp://housecall65.trendmicro.com/house ... hcImpl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: SpywareGuard.Handler: {81559c35-8464-49f7-bb0e-07a383bef910} - c:\program files\spywareguard\spywareguard.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\billyc~1\applic~1\mozilla\firefox\profiles\e22nb6s4.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mozilla firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\billy corcoran\local settings\application

data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: f:\divx\divx player\npDivxPlayerPlugin.dll
FF - plugin: f:\divx\divx web player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [2009-6-25 40464]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-15 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-6-25 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-22 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-22 46864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-20 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-20 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-20 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-6-25 353672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-20 298776]
R2 ComodoBackupService;ComodoBackupService;c:\program files\comodo\backup\CmdBkSvc.exe [2008-11-27 1023488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2009-4-10 47640]
R2 RVIEGVST;VSC VST Engine;c:\program files\roland\virtual sound canvas vst\RVIEg01VST.sys [2008-8-13 188276]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe

service [?]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2009-3-26 54960]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service -->

c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-22 33552]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [2008-8-13 951284]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-7-24 12856]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\77.tmp [2009-6-25 5760]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-6-25 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-6-25 1095560]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-07-03 10:42 <DIR> --d-h--- c:\windows\PIF
2009-06-30 13:40 <DIR> --d----- c:\documents and settings\billy corcoran\Tracing
2009-06-30 13:34 <DIR> --d----- c:\program files\Microsoft
2009-06-30 13:33 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-06-30 13:22 <DIR> --d----- c:\program files\common files\Windows Live
2009-06-30 13:01 <DIR> --d----- c:\program files\filehippo.com
2009-06-28 22:16 <DIR> --d----- c:\program files\Trend Micro
2009-06-27 23:27 18,942 a------- c:\windows\system32\AAWService_2009_06_27_23_27_17.dmp
2009-06-25 17:10 40,464 a------- c:\windows\system32\drivers\hotcore3.sys
2009-06-25 17:09 <DIR> --d----- c:\program files\Paragon Software
2009-06-25 16:20 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-25 16:20 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-25 16:19 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-25 16:19 <DIR> --d----- c:\program files\Zone Labs
2009-06-25 16:19 350,192 a------- c:\windows\system32\vsconfig.xml
2009-06-25 16:17 <DIR> --d----- c:\windows\Internet Logs
2009-06-25 15:47 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-06-25 15:47 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-06-25 15:47 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-25 15:47 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-06-25 15:47 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-25 15:47 <DIR> --d----- c:\program files\Spyware Doctor
2009-06-25 15:47 <DIR> --d----- c:\docume~1\billyc~1\applic~1\PC Tools
2009-06-25 14:15 5,760 -------- c:\windows\system32\77.tmp
2009-06-25 13:48 <DIR> --d-----

c:\docume~1\billyc~1\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-25 10:46 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-24 22:07 <DIR> --d----- c:\program files\Windows Installer Clean Up
2009-06-24 20:43 <DIR> --d----- c:\program files\SpywareGuard
2009-06-24 20:24 <DIR> --d----- C:\MBtools.exe
2009-06-22 07:16 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-06-22 07:16 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-06-22 07:16 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-06-22 07:16 <DIR> --d----- c:\program files\ThreatFire
2009-06-22 07:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-06-21 10:49 5,760 -------- c:\windows\system32\8F.tmp
2009-06-20 19:49 2,862 a------- c:\windows\system32\tmp.reg
2009-06-20 18:22 <DIR> --d----- c:\program files\SpywareBlaster
2009-06-20 14:30 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-20 14:30 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 14:30 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 14:30 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-19 21:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\IObit
2009-06-19 13:42 <DIR> --d----- c:\program files\Enigma Software Group
2009-06-14 09:44 <DIR> --d----- c:\docume~1\billyc~1\applic~1\TrueCrypt
2009-06-14 09:42 217,664 a------- c:\windows\system32\drivers\truecrypt.sys
2009-06-14 09:42 <DIR> --d----- c:\program files\TrueCrypt
2009-06-10 13:25 <DIR> --d----- c:\program files\EZBackitup

==================== Find3M ====================

2009-06-24 23:05 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-17 11:27 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-06-02 11:17 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-05-27 00:33 15,688 ac------ c:\windows\system32\lsdelete.exe
2009-05-13 16:12 286,720 a------- c:\windows\iun506.exe
2009-05-13 01:36 21,504 a------- c:\windows\jestertb.dll
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-29 05:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 05:55 78,336 ac------ c:\windows\system32\ieencode.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 10:46:12.78 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 02/07/2008 19:36:59
System Uptime: 07/03/2009 10:22:01 (2832 hours ago)

Motherboard: First International Computer, Inc. | | AM39L
Processor: AMD Athlon(tm) XP 2400+ | Socket A | 1998/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 23.793 GiB free.
D: is CDROM ()
E: is CDROM ()
F: is FIXED (NTFS) - 234 GiB total, 168.621 GiB free.
G: is Removable
H: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: MSP3880-W 56K PCI Modem
Device ID: PCI\VEN_127A&DEV_2014&SUBSYS_4055122D&REV_01\3&61AAA01&0&48
Manufacturer: Conexant
Name: MSP3880-W 56K PCI Modem
PNP Device ID: PCI\VEN_127A&DEV_2014&SUBSYS_4055122D&REV_01\3&61AAA01&0&48
Service: Modem

==== System Restore Points ===================

RP558: 20/06/2009 11:35:40 - Revo Uninstaller's restore point - Spyware Doctor 6.0
RP559: 20/06/2009 13:57:59 - Revo Uninstaller's restore point - AVG 8.5
RP560: 20/06/2009 13:59:10 - Removed AVG 8.5
RP561: 20/06/2009 14:01:23 - Installed AVG 8.5
RP562: 20/06/2009 14:29:49 - Installed AVG Free 8.5
RP563: 21/06/2009 16:51:27 - System Checkpoint
RP564: 21/06/2009 17:14:08 - Advanced SystemCare RestorePoint
RP565: 24/06/2009 16:32:23 - System Checkpoint
RP566: 24/06/2009 18:07:05 - Revo Uninstaller's restore point - Skype™ Beta 4.1
RP567: 24/06/2009 18:07:40 - Removed Skype™ Beta 4.1
RP568: 24/06/2009 18:12:40 - Revo Uninstaller's restore point - Skype web features
RP569: 24/06/2009 18:13:04 - Removed Skype web features
RP570: 24/06/2009 19:27:46 - Revo Uninstaller's restore point - IObit Security 360 Beta 1.1
RP571: 24/06/2009 20:12:05 - Revo Uninstaller's restore point - Java(TM) 6 Update 6
RP572: 24/06/2009 20:14:45 - Revo Uninstaller's restore point - Java(TM) 6 Update 14
RP573: 24/06/2009 22:06:36 - Removed Windows Installer Clean Up
RP574: 24/06/2009 22:07:48 - Installed Windows Installer Clean Up
RP575: 24/06/2009 23:04:45 - Installed Java(TM) 6 Update 14
RP576: 25/06/2009 16:39:53 - Revo Uninstaller's restore point - Bonjour
RP577: 25/06/2009 16:40:58 - Removed Bonjour
RP578: 25/06/2009 16:42:37 - Revo Uninstaller's restore point - Apple Mobile Device Support
RP579: 25/06/2009 16:43:46 - Removed Apple Mobile Device Support
RP580: 25/06/2009 16:46:37 - Revo Uninstaller's restore point - Apple Software Update
RP581: 25/06/2009 16:46:59 - Removed Apple Software Update
RP582: 25/06/2009 17:09:30 - Installed Paragon Drive Backup™ 9 Personal Special Edition.
RP583: 26/06/2009 14:42:49 - Software Distribution Service 3.0
RP584: 27/06/2009 16:11:37 - System Checkpoint
RP585: 28/06/2009 16:59:26 - System Checkpoint
RP586: 29/06/2009 16:19:40 - Revo Uninstaller's restore point - SnagIt 8
RP587: 29/06/2009 16:22:19 - Revo Uninstaller's restore point - SnagIt 8
RP588: 29/06/2009 16:25:49 - SnagIt
RP589: 29/06/2009 16:28:56 - Revo Uninstaller's restore point - SnagIt 8
RP590: 29/06/2009 16:33:50 - Revo Uninstaller's restore point - ZoneAlarm Spy Blocker Toolbar
RP591: 30/06/2009 13:19:59 - TrueCrypt installation
RP592: 01/07/2009 07:05:43 - Configured AVG 8.5
RP593: 01/07/2009 07:22:29 - Avg8 Update
RP594: 01/07/2009 07:24:34 - Avg8 Update
RP595: 01/07/2009 07:25:53 - Avg8 Update
RP596: 01/07/2009 07:28:20 - Software Distribution Service 3.0
RP597: 02/07/2009 11:28:49 - System Checkpoint
RP598: 02/07/2009 20:27:07 - Revo Uninstaller's restore point - True Sword 5
RP599: 02/07/2009 20:29:19 - Revo Uninstaller's restore point - SpyHunter
RP600: 02/07/2009 20:30:58 - Revo Uninstaller's restore point - Yuuguu

==== Installed Programs ======================

AAC Decoder
Acrobat.com
Ad-Aware
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 9.1.2
Adobe Shockwave Player 11.5
Advanced SystemCare 3
ArcSoft PhotoStudio 5.5
AutoUpdate
AVG 8.5
Belkin Wireless USB Utility
CamStudio
CamStudio Lossless Codec v1.4
Canon MP Navigator 2.0
Canon MP170
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Choice Guard
Comodo BackUp
Critical Update for Windows Media Player 11 (KB959772)
Defraggler (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DriveImage XML (Private Edition)
EZBack-it-up 2.0.1
filehippo.com Update Checker
FixedLength
FlexiMusic Kids Composer
FlexiMusic Wave Editor
Free Mp3 Wma Converter V 1.81
H.264 Decoder
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HyperCam 2
IsoBuster 2.5
Java(TM) 6 Update 14
LogMeIn
Looper
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Web Embedding Fonts Tool (III)
Microsoft Windows XP Video Decoder Checkup Utility
MKV Splitter
Mozilla Firefox (3.5)
mp3-2-wav converter 1.14
MSP3880-W 56K PCI Modem
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NVIDIA Windows 2000/XP Display Drivers
OE-Mail Recovery 1.7
OmniPage SE
Packet Tracer 5.1
Paragon Drive Backup™ 9 Personal Special Edition
PIXresizer 1.0.8
Prism Video Converter
QuickTime
RealPlayer
Realtek AC'97 Audio
Revo Uninstaller 1.83
Rhythm'n'Chords 2 Lite CW
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
Search Settings 1.2.1
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Segoe UI
SlicyDrummer Lite
SONAR 2
SONAR 2.2
Sonic Activation Module
Sonic Timeworks Sonar 2 Plug-ins
Sophos Anti-Rootkit 1.3.1
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Spyware Doctor 6.0
SpywareBlaster 4.2
SpywareGuard v2.2
Style Enhancer Micro 2.0
SUPERAntiSpyware Free Edition
Switch Sound File Converter
ThreatFire
TrueCrypt
TweakNow RegCleaner
Update for Windows XP (KB942763)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
VC 9.0 Runtime
VC80CRTRedist - 8.0.50727.762
VeloMaster Lite CW
VIA Rhine-Family Fast-Ethernet Adapter
Virtual Sound Canvas 3.2
Virtual Sound Canvas DXi
Virtual Sound Canvas VST
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VMware Player
WAV to MP3 Encoder
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.1
XP Codec Pack
ZoneAlarm

==== Event Viewer Messages From Past Week ========

29/06/2009 11:10:24, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MDM with arguments "" in order to run the server: {0C0A3666-30C9-11D0-8F20-00805F2CD064}
29/06/2009 11:09:04, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
29/06/2009 11:07:56, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdPPM AvgLdx86 AvgMfx86 AvgTdiX Fips IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip truecrypt UimBus Uim_IM vsdatant WS2IFSL
29/06/2009 11:07:56, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
29/06/2009 11:07:29, error: Service Control Manager [7001] - The TrueVector Internet Monitor service depends on the vsdatant service which failed to start because of the following error: A device attached to the system is not functioning.
29/06/2009 11:07:29, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD Networking Support Environment service which failed to start because of the following error: A device attached to the system is not functioning.
29/06/2009 11:07:29, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
29/06/2009 11:07:29, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
29/06/2009 11:07:29, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
29/06/2009 10:12:52, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
29/06/2009 10:12:46, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
29/06/2009 10:11:50, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Roxio Hard Drive Watcher 9 service to connect.
29/06/2009 10:11:50, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
29/06/2009 10:11:50, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
27/06/2009 23:04:10, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the VMware Authorization Service service to connect.
27/06/2009 23:04:10, error: Service Control Manager [7000] - The VMware Authorization Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
26/06/2009 14:43:30, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Internet Explorer 8 for Windows XP.
01/07/2009 22:46:08, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdPPM AvgLdx86 AvgMfx86 Fips SASDIFSV SASKUTIL truecrypt UimBus Uim_IM
01/07/2009 22:24:19, error: Service Control Manager [7034] - The PC Tools Security Service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-03 10:56:25
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB5C5FFC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB5C5CC80]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF745D514]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB5C60580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB5C74900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB5C74B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB5C78B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB5C60670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB5C5D210]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF745DD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF745DFB8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB5C74280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB5C77F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB5C77F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB5C5D070]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF745C3FA]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB5C76180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB5C75F40]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF745E422]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB5C78150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB5C5FBE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB5C78540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB5C60190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB5C5D440]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF745D7D8]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB5C75200]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB5C75080]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys (ThreatFire Filesystem Monitor/PC Tools)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 VMkbd.sys (VMware keyboard filter driver (32-bit)/VMware, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp TfNetMon.sys (ThreatFire Network Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp TfNetMon.sys (ThreatFire Network Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\usbhub \Device\00000089 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp TfNetMon.sys (ThreatFire Network Monitor/PC Tools)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\usbehci \Device\USBFDO-3 hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008a hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008b hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008c hcmon.sys (VMware USB monitor/VMware, Inc.)
Device \Driver\usbhub \Device\0000008d hcmon.sys (VMware USB monitor/VMware, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Roxio)

---- EOF - GMER 1.0.15 ----
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 3rd, 2009, 10:40 am

Hi
You have quite few security programs there. Make sure you only have one Anti-virus & one Anti-spyware programs running with real time protection. Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having multiple Anti-virus programs & Anti-spyware running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

ComboFix
Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links):
Link 1
Link 2
Link 3

**IMPORTANT !!! Save ComboFix.exe to your Desktop**

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on ComboFix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console
Image
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
Image

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

To post in next reply:
ComboFix log
New HijackThis log
Update on how the computer is running
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 3rd, 2009, 2:14 pm

Hi JMW3

I like to use different tools foe scanning only, especially if i am having malware problems. I have noticed that SpywareGuard, Adwatch are running together in the back ground, perhaps i should use AdAware for scan only?

My pc has been going ok since i deleted the trojans that my tools found in the last week or so.
i was getting quite a lot of system freezes, and the odd blue screen in the past. The main reason i submitted a log was in case a rootkit problem had moved into the kernel, in which case i would have no choice but to reformat and reinstall.

When i ran ComboFix, it loaded the console ok, did its scan and saved the log, but then all of my desktop icons and taskbar disappeared and then i was presented with a blue screen.
These are the stop messages it threw up: 0x0000008e (0xC0000005, 0xF7448CF9, 0xB3061B14, 0x00000000)

Should i be worried?

These are the 2 requested logs:

ComboFix 09-07-02.02 - Billy Corcoran 03/07/2009 18:29:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2047.1476 [GMT 1:00]
Running from: C:\Documents and Settings\Billy Corcoran\Desktop\CleanUp\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Billy Corcoran\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
C:\WINDOWS\Installer\11b7bca.msi
C:\WINDOWS\Installer\14cb40.msi
C:\WINDOWS\Installer\3b027.msi
C:\WINDOWS\Installer\491d5e.msi
C:\WINDOWS\Installer\c14031.msi
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Agent.OMZ.Fix.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 09:42:28 . 2009-07-03 09:42:28 0 d--h--w- C:\WINDOWS\PIF
2009-06-30 12:40:45 . 2009-06-30 12:40:47 0 d-----w- C:\Documents and Settings\Billy Corcoran\Tracing
2009-06-30 12:34:08 . 2009-06-30 12:34:08 0 d-----w- C:\Program Files\Microsoft
2009-06-30 12:33:43 . 2009-06-30 12:33:43 0 d-----w- C:\Program Files\Windows Live SkyDrive
2009-06-30 12:33:08 . 2009-06-30 12:34:02 0 d-----w- C:\Program Files\Windows Live
2009-06-30 12:22:36 . 2009-06-30 12:22:36 0 d-----w- C:\Program Files\Common Files\Windows Live
2009-06-30 12:01:34 . 2009-06-30 12:01:34 0 d-----w- C:\Program Files\filehippo.com
2009-06-28 21:16:35 . 2009-06-28 21:16:35 0 d-----w- C:\Program Files\Trend Micro
2009-06-25 16:10:44 . 2008-06-28 01:42:44 40464 ----a-w- C:\WINDOWS\system32\drivers\hotcore3.sys
2009-06-25 16:09:38 . 2009-06-25 16:09:38 0 d-----w- C:\Program Files\Paragon Software
2009-06-25 15:20:51 . 2009-06-25 15:20:51 4212 ---ha-w- C:\WINDOWS\system32\zllictbl.dat
2009-06-25 15:20:19 . 2009-02-15 23:10:12 69000 ----a-w- C:\WINDOWS\system32\zlcomm.dll
2009-06-25 15:20:19 . 2009-02-15 23:10:12 103816 ----a-w- C:\WINDOWS\system32\zlcommdb.dll
2009-06-25 15:20:00 . 2009-02-15 23:10:14 1221512 ----a-w- C:\WINDOWS\system32\zpeng25.dll
2009-06-25 15:19:57 . 2009-06-25 15:20:49 0 d-----w- C:\WINDOWS\system32\ZoneLabs
2009-06-25 15:19:57 . 2009-06-25 15:19:57 0 d-----w- C:\Program Files\Zone Labs
2009-06-25 15:17:27 . 2009-07-03 17:08:31 0 d-----w- C:\WINDOWS\Internet Logs
2009-06-25 14:47:53 . 2008-12-11 07:38:22 159600 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys
2009-06-25 14:47:38 . 2009-06-25 15:06:40 130936 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2009-06-25 14:47:38 . 2008-12-18 11:16:56 73840 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-06-25 14:47:24 . 2009-06-25 14:57:17 0 d-----w- C:\Program Files\Common Files\PC Tools
2009-06-25 14:47:24 . 2008-12-10 11:36:04 64392 ----a-w- C:\WINDOWS\system32\drivers\pctplsg.sys
2009-06-25 14:47:14 . 2009-07-02 16:52:19 0 d-----w- C:\Program Files\Spyware Doctor
2009-06-25 14:47:14 . 2009-06-25 14:47:14 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\PC Tools
2009-06-25 12:48:00 . 2009-06-25 12:48:00 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-25 09:46:56 . 2009-06-25 09:46:56 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-06-24 22:04:54 . 2009-06-24 22:04:54 0 d-----w- C:\Program Files\Java
2009-06-24 21:07:52 . 2009-06-24 21:07:52 3584 ----a-r- C:\Documents and Settings\Billy Corcoran\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-24 21:07:50 . 2009-06-24 21:07:51 0 d-----w- C:\Program Files\Windows Installer Clean Up
2009-06-24 20:32:44 . 2009-06-24 20:32:44 152576 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-24 19:43:23 . 2009-06-29 15:14:24 0 d-----w- C:\Program Files\SpywareGuard
2009-06-24 19:24:29 . 2009-06-24 19:25:08 0 d-----w- C:\MBtools.exe
2009-06-22 06:16:57 . 2009-06-19 20:37:29 46864 ----a-w- C:\WINDOWS\system32\drivers\TfSysMon.sys
2009-06-22 06:16:57 . 2009-06-19 20:37:28 33552 ----a-w- C:\WINDOWS\system32\drivers\TfNetMon.sys
2009-06-22 06:16:57 . 2009-06-19 20:37:27 51984 ----a-w- C:\WINDOWS\system32\drivers\TfFsMon.sys
2009-06-22 06:16:56 . 2009-06-25 14:47:14 0 d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-06-22 06:16:56 . 2009-06-24 21:36:11 0 d-----w- C:\Program Files\ThreatFire
2009-06-20 17:22:24 . 2009-06-24 20:10:33 0 d-----w- C:\Program Files\SpywareBlaster
2009-06-20 13:30:58 . 2009-06-20 13:30:58 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2009-06-20 13:30:57 . 2009-06-20 13:30:57 108552 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2009-06-20 13:30:50 . 2009-07-01 06:25:41 335752 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2009-06-20 13:30:49 . 2009-06-20 13:30:49 27784 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2009-06-20 13:30:21 . 2009-07-02 19:32:54 0 d-----w- C:\WINDOWS\system32\drivers\Avg
2009-06-19 20:19:26 . 2009-06-19 20:19:26 0 d-----w- C:\Documents and Settings\All Users\Application Data\IObit
2009-06-19 12:42:09 . 2009-07-02 19:30:25 0 d-----w- C:\Program Files\Enigma Software Group
2009-06-14 08:44:30 . 2009-06-14 08:50:06 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\TrueCrypt
2009-06-14 08:42:59 . 2009-06-30 12:20:31 217664 ----a-w- C:\WINDOWS\system32\drivers\truecrypt.sys
2009-06-14 08:42:45 . 2009-06-14 08:42:59 0 d-----w- C:\Program Files\TrueCrypt
2009-06-10 12:25:46 . 2009-06-10 12:25:49 0 d-----w- C:\Program Files\EZBackitup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 16:49:09 . 2009-02-05 19:18:19 0 d-----w- C:\Documents and Settings\LocalService\Application Data\VMware
2009-07-03 16:48:40 . 2009-02-05 19:15:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\VMware
2009-07-03 16:48:39 . 2008-10-12 18:45:53 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-02 23:03:41 . 2009-04-10 11:55:51 0 d-----w- C:\Program Files\LogMeIn
2009-07-01 21:59:43 . 2009-06-02 14:42:01 117760 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-01 06:03:46 . 2008-07-03 07:59:48 0 d-----w- C:\Documents and Settings\All Users\Application Data\avg8
2009-06-30 16:59:13 . 2009-06-19 13:30:36 314712 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-30 16:59:12 . 2009-06-19 13:30:33 25440 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-30 16:59:11 . 2009-06-19 13:30:33 169312 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 16:59:10 . 2009-06-19 13:30:31 348496 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 16:59:08 . 2009-06-19 13:30:30 298336 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 16:59:07 . 2009-05-26 23:33:49 84832 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 16:59:06 . 2009-06-19 13:30:28 1630560 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-30 16:59:01 . 2009-05-26 23:33:29 246128 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 16:59:00 . 2009-06-19 13:30:23 85352 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 16:59:00 . 2009-05-26 23:33:28 40288 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 16:58:58 . 2009-06-19 13:30:22 664424 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-30 16:58:56 . 2009-06-19 13:30:19 563064 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 16:58:54 . 2009-06-19 13:30:17 566632 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 16:58:51 . 2009-06-19 13:30:15 2352968 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-30 16:58:47 . 2009-06-19 13:30:11 629072 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 16:58:44 . 2009-06-19 13:30:09 520024 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 16:58:42 . 2009-06-19 13:30:07 1029456 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 12:37:26 . 2008-07-02 21:42:59 81192 -c--a-w- C:\Documents and Settings\Billy Corcoran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 15:33:17 . 2009-05-19 16:49:48 0 d-----w- C:\Program Files\TechSmith
2009-06-29 15:33:16 . 2009-05-19 16:49:49 0 d-----w- C:\Documents and Settings\All Users\Application Data\TechSmith
2009-06-26 02:36:32 . 2008-07-03 08:17:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 12:05:19 . 2008-10-19 22:13:32 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-06-24 22:05:17 . 2009-06-02 14:56:06 410984 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-06-24 21:07:08 . 2008-07-03 10:42:58 0 d-----w- C:\Program Files\MSECACHE
2009-06-24 18:41:57 . 2009-03-04 21:06:59 0 d-----w- C:\Program Files\HyCam2
2009-06-24 17:07:56 . 2009-05-25 14:21:42 0 d-----r- C:\Program Files\Skype
2009-06-24 17:07:54 . 2008-07-03 23:25:11 0 d-----w- C:\Documents and Settings\All Users\Application Data\Skype
2009-06-20 13:29:56 . 2008-07-03 07:59:49 0 d-----w- C:\Program Files\AVG
2009-06-20 10:29:55 . 2009-05-18 19:21:46 0 d-----w- C:\Program Files\NCH Swift Sound
2009-06-19 20:19:23 . 2008-10-12 17:25:34 0 d-----w- C:\Program Files\IObit
2009-06-19 16:25:11 . 2008-10-29 00:37:12 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-17 10:27:56 . 2008-10-29 00:37:13 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27:44 . 2008-10-29 00:37:13 19096 -c--a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-06-02 15:20:59 . 2008-07-03 23:31:36 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\skypePM
2009-06-02 15:05:59 . 2009-06-02 15:05:59 0 d-----w- C:\Program Files\Common Files\Adobe AIR
2009-06-02 14:41:15 . 2009-04-30 23:38:13 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com
2009-06-02 14:39:46 . 2008-07-03 08:11:04 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-02 14:31:46 . 2009-06-02 14:31:46 0 d-----w- C:\Program Files\Common Files\xing shared
2009-06-02 14:31:27 . 2008-07-03 08:31:52 0 d-----w- C:\Program Files\Common Files\Real
2009-06-02 14:17:00 . 2009-06-02 14:16:05 0 d-----w- C:\Program Files\QuickTime
2009-06-02 14:16:00 . 2008-09-21 23:01:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-06-02 06:49:28 . 2009-02-05 20:25:30 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\VMware
2009-05-31 19:19:21 . 2009-05-30 11:09:33 0 d-----w- C:\Program Files\VMware
2009-05-28 17:35:13 . 2008-10-29 00:49:09 3371383 -c--a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 22:05:39 . 2009-05-27 22:05:39 390664 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-26 23:33:53 . 2009-05-26 23:33:53 15688 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-26 23:33:53 . 2009-03-15 17:03:54 15688 -c--a-w- C:\WINDOWS\system32\lsdelete.exe
2009-05-25 13:35:54 . 2009-05-25 13:35:54 0 d-----w- C:\Program Files\MSBuild
2009-05-25 13:35:32 . 2009-05-25 13:35:32 0 d-----w- C:\Program Files\Reference Assemblies
2009-05-22 13:51:37 . 2009-03-02 00:29:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\WinZip
2009-05-19 16:49:20 . 2009-01-24 17:06:04 0 d-----w- C:\Program Files\BlueVoda Website Builder
2009-05-19 15:31:14 . 2008-07-03 07:42:55 0 d-----w- C:\Program Files\Common Files\Adobe
2009-05-18 19:28:01 . 2009-05-18 19:28:01 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2009-05-18 19:21:46 . 2009-05-18 19:21:46 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\NCH Swift Sound
2009-05-16 16:15:12 . 2009-02-15 17:05:27 0 d-----w- C:\Program Files\HLPSTR
2009-05-16 15:27:50 . 2009-05-16 15:26:06 0 d-----w- C:\Program Files\NCH Software
2009-05-16 15:26:46 . 2009-05-16 15:26:46 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Software
2009-05-16 15:22:16 . 2009-05-16 15:22:16 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\Search Settings
2009-05-16 15:14:06 . 2009-05-16 15:14:06 0 d-----w- C:\Program Files\Search Settings
2009-05-16 15:12:31 . 2009-05-16 15:12:26 0 d-----w- C:\Program Files\Free Audio Pack
2009-05-16 15:07:10 . 2009-05-16 15:07:10 0 d-----w- C:\Program Files\Flv2Mp3
2009-05-14 00:37:44 . 2009-05-14 00:37:30 0 d-----w- C:\Program Files\WAV to MP3 Encoder
2009-05-13 15:32:41 . 2009-02-23 23:22:42 0 d-----w- C:\Program Files\FlexiMusic Wave Editor
2009-05-13 15:12:35 . 2009-05-13 15:12:35 0 d-----w- C:\Program Files\Mp3 File Editor
2009-05-13 15:12:16 . 2009-05-13 15:12:35 286720 ----a-w- C:\WINDOWS\iun506.exe
2009-05-10 20:39:48 . 2009-05-10 14:30:16 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\Download Manager
2009-05-07 15:32:35 . 2003-03-31 12:00:00 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-04-29 04:56:02 . 2006-06-23 10:33:58 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-04-29 04:55:56 . 2009-05-25 13:24:38 78336 -c--a-w- C:\WINDOWS\system32\ieencode.dll
2009-04-23 17:43:25 . 2009-04-23 17:43:25 64160 -c--a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-23 17:43:25 . 2009-03-15 16:24:12 64160 -c--a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-04-17 23:16:18 . 2009-04-17 23:16:13 6144 -c--a-w- C:\Documents and Settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2009-04-17 23:16:18 . 2009-04-17 23:16:13 22528 -c--a-w- C:\Documents and Settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2009-04-17 12:26:40 . 2003-03-31 12:00:00 1847168 ----a-w- C:\WINDOWS\system32\win32k.sys
2009-04-15 14:51:25 . 2004-03-06 02:16:11 585216 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2009-04-11 15:01:03 . 2009-04-11 15:01:03 388000 -c--a-w- C:\WINDOWS\system32\drivers\timntr.sys
2009-04-11 15:01:03 . 2009-04-11 15:01:03 32288 -c--a-w- C:\WINDOWS\system32\drivers\tifsfilt.sys
2009-04-11 15:00:53 . 2009-04-11 15:00:53 99776 -c--a-w- C:\WINDOWS\system32\drivers\snapman.sys
2009-02-24 19:34:32 . 2009-02-24 19:34:32 1044480 -c--a-w- C:\Program Files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34:32 . 2009-02-24 19:34:32 200704 -c--a-w- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:42:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vsc32cnf.exe"="C:\Program Files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 02:02:44 36864]
"vscvol.exe"="C:\Program Files\Roland\VSC32\vscvol.exe" [2000-02-08 22:19:48 36864]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 16:58:44 520024]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 17:46:10 63048]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19:00 4841472]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-06-20 13:30:11 1948440]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2009-06-19 20:37:21 259344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 23:10:22 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

C:\Documents and Settings\Billy Corcoran\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-8-29 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 09:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05:34 356352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 13:30:58 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35:38 87352 ----a-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"=vscapi.dll
"WAVE3"=vscapi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=
"C:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 hotcore3;hc3ServiceName;C:\WINDOWS\system32\drivers\hotcore3.sys [25/06/2009 17:10:44 40464]
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [15/03/2009 17:24:12 64160]
R0 PCTCore;PCTools KDS;C:\WINDOWS\system32\drivers\PCTCore.sys [25/06/2009 15:47:38 130936]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [22/06/2009 07:16:57 51984]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [22/06/2009 07:16:57 46864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [20/06/2009 14:30:50 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [20/06/2009 14:30:57 108552]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05:54 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05:52 72944]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 14:29:59 298776]
R2 ComodoBackupService;ComodoBackupService;C:\Program Files\Comodo\BackUp\CmdBkSvc.exe [27/11/2008 18:13:56 1023488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06:55 1029456]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46:12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [10/04/2009 12:56:34 47640]
R2 RVIEGVST;VSC VST Engine;C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [13/08/2008 23:25:19 188276]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service --> C:\Program Files\ThreatFire\TFService.exe service [?]
R2 vmci;VMware vmci;C:\WINDOWS\system32\drivers\vmci.sys [26/03/2009 22:58:38 54960]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [22/06/2009 07:16:57 33552]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\drivers\vsc.sys [13/08/2008 23:23:11 951284]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\77.tmp [25/06/2009 14:15:36 5760]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05:56 7408]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [25/06/2009 15:47:16 348752]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06:56 . 2009-06-30 16:58:54]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ie/
IE: E&xport to Microsoft Excel - C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
LSP: C:\Program Files\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - C:\Documents and Settings\Billy Corcoran\Application Data\Mozilla\Firefox\Profiles\e22nb6s4.default\
FF - component: C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: C:\Documents and Settings\Billy Corcoran\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: F:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: F:\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:15:38, on 03/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8409 bytes
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 3rd, 2009, 8:28 pm

Hi
I have noticed that SpywareGuard, Adwatch are running together in the back ground, perhaps i should use AdAware for scan only?
Good idea... though personally I wouldn't use AdAware at all as it is outdated & no longer as effective as it once was.

The ComboFix log you posted is not complete. Can you post it again please. It can be found at C:\ComboFix.txt

Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 4th, 2009, 5:41 am

Hi

ComboFix 09-07-02.02 - Billy Corcoran 03/07/2009 18:29:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2047.1476 [GMT 1:00]
Running from: C:\Documents and Settings\Billy Corcoran\Desktop\CleanUp\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Billy Corcoran\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
C:\WINDOWS\Installer\11b7bca.msi
C:\WINDOWS\Installer\14cb40.msi
C:\WINDOWS\Installer\3b027.msi
C:\WINDOWS\Installer\491d5e.msi
C:\WINDOWS\Installer\c14031.msi
C:\WINDOWS\jestertb.dll
C:\WINDOWS\system32\404Fix.exe
C:\WINDOWS\system32\Agent.OMZ.Fix.exe
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\IEDFix.C.exe
C:\WINDOWS\system32\IEDFix.exe
C:\WINDOWS\system32\o4Patch.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 09:42:28 . 2009-07-03 09:42:28 0 d--h--w- C:\WINDOWS\PIF
2009-06-30 12:40:45 . 2009-06-30 12:40:47 0 d-----w- C:\Documents and Settings\Billy Corcoran\Tracing
2009-06-30 12:34:08 . 2009-06-30 12:34:08 0 d-----w- C:\Program Files\Microsoft
2009-06-30 12:33:43 . 2009-06-30 12:33:43 0 d-----w- C:\Program Files\Windows Live SkyDrive
2009-06-30 12:33:08 . 2009-06-30 12:34:02 0 d-----w- C:\Program Files\Windows Live
2009-06-30 12:22:36 . 2009-06-30 12:22:36 0 d-----w- C:\Program Files\Common Files\Windows Live
2009-06-30 12:01:34 . 2009-06-30 12:01:34 0 d-----w- C:\Program Files\filehippo.com
2009-06-28 21:16:35 . 2009-06-28 21:16:35 0 d-----w- C:\Program Files\Trend Micro
2009-06-25 16:10:44 . 2008-06-28 01:42:44 40464 ----a-w- C:\WINDOWS\system32\drivers\hotcore3.sys
2009-06-25 16:09:38 . 2009-06-25 16:09:38 0 d-----w- C:\Program Files\Paragon Software
2009-06-25 15:20:51 . 2009-06-25 15:20:51 4212 ---ha-w- C:\WINDOWS\system32\zllictbl.dat
2009-06-25 15:20:19 . 2009-02-15 23:10:12 69000 ----a-w- C:\WINDOWS\system32\zlcomm.dll
2009-06-25 15:20:19 . 2009-02-15 23:10:12 103816 ----a-w- C:\WINDOWS\system32\zlcommdb.dll
2009-06-25 15:20:00 . 2009-02-15 23:10:14 1221512 ----a-w- C:\WINDOWS\system32\zpeng25.dll
2009-06-25 15:19:57 . 2009-06-25 15:20:49 0 d-----w- C:\WINDOWS\system32\ZoneLabs
2009-06-25 15:19:57 . 2009-06-25 15:19:57 0 d-----w- C:\Program Files\Zone Labs
2009-06-25 15:17:27 . 2009-07-03 17:08:31 0 d-----w- C:\WINDOWS\Internet Logs
2009-06-25 14:47:53 . 2008-12-11 07:38:22 159600 ----a-w- C:\WINDOWS\system32\drivers\pctgntdi.sys
2009-06-25 14:47:38 . 2009-06-25 15:06:40 130936 ----a-w- C:\WINDOWS\system32\drivers\PCTCore.sys
2009-06-25 14:47:38 . 2008-12-18 11:16:56 73840 ----a-w- C:\WINDOWS\system32\drivers\PCTAppEvent.sys
2009-06-25 14:47:24 . 2009-06-25 14:57:17 0 d-----w- C:\Program Files\Common Files\PC Tools
2009-06-25 14:47:24 . 2008-12-10 11:36:04 64392 ----a-w- C:\WINDOWS\system32\drivers\pctplsg.sys
2009-06-25 14:47:14 . 2009-07-02 16:52:19 0 d-----w- C:\Program Files\Spyware Doctor
2009-06-25 14:47:14 . 2009-06-25 14:47:14 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\PC Tools
2009-06-25 12:48:00 . 2009-06-25 12:48:00 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-25 09:46:56 . 2009-06-25 09:46:56 664 ----a-w- C:\WINDOWS\system32\d3d9caps.dat
2009-06-24 22:04:54 . 2009-06-24 22:04:54 0 d-----w- C:\Program Files\Java
2009-06-24 21:07:52 . 2009-06-24 21:07:52 3584 ----a-r- C:\Documents and Settings\Billy Corcoran\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-24 21:07:50 . 2009-06-24 21:07:51 0 d-----w- C:\Program Files\Windows Installer Clean Up
2009-06-24 20:32:44 . 2009-06-24 20:32:44 152576 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-24 19:43:23 . 2009-06-29 15:14:24 0 d-----w- C:\Program Files\SpywareGuard
2009-06-24 19:24:29 . 2009-06-24 19:25:08 0 d-----w- C:\MBtools.exe
2009-06-22 06:16:57 . 2009-06-19 20:37:29 46864 ----a-w- C:\WINDOWS\system32\drivers\TfSysMon.sys
2009-06-22 06:16:57 . 2009-06-19 20:37:28 33552 ----a-w- C:\WINDOWS\system32\drivers\TfNetMon.sys
2009-06-22 06:16:57 . 2009-06-19 20:37:27 51984 ----a-w- C:\WINDOWS\system32\drivers\TfFsMon.sys
2009-06-22 06:16:56 . 2009-06-25 14:47:14 0 d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-06-22 06:16:56 . 2009-06-24 21:36:11 0 d-----w- C:\Program Files\ThreatFire
2009-06-20 17:22:24 . 2009-06-24 20:10:33 0 d-----w- C:\Program Files\SpywareBlaster
2009-06-20 13:30:58 . 2009-06-20 13:30:58 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll
2009-06-20 13:30:57 . 2009-06-20 13:30:57 108552 ----a-w- C:\WINDOWS\system32\drivers\avgtdix.sys
2009-06-20 13:30:50 . 2009-07-01 06:25:41 335752 ----a-w- C:\WINDOWS\system32\drivers\avgldx86.sys
2009-06-20 13:30:49 . 2009-06-20 13:30:49 27784 ----a-w- C:\WINDOWS\system32\drivers\avgmfx86.sys
2009-06-20 13:30:21 . 2009-07-02 19:32:54 0 d-----w- C:\WINDOWS\system32\drivers\Avg
2009-06-19 20:19:26 . 2009-06-19 20:19:26 0 d-----w- C:\Documents and Settings\All Users\Application Data\IObit
2009-06-19 12:42:09 . 2009-07-02 19:30:25 0 d-----w- C:\Program Files\Enigma Software Group
2009-06-14 08:44:30 . 2009-06-14 08:50:06 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\TrueCrypt
2009-06-14 08:42:59 . 2009-06-30 12:20:31 217664 ----a-w- C:\WINDOWS\system32\drivers\truecrypt.sys
2009-06-14 08:42:45 . 2009-06-14 08:42:59 0 d-----w- C:\Program Files\TrueCrypt
2009-06-10 12:25:46 . 2009-06-10 12:25:49 0 d-----w- C:\Program Files\EZBackitup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 16:49:09 . 2009-02-05 19:18:19 0 d-----w- C:\Documents and Settings\LocalService\Application Data\VMware
2009-07-03 16:48:40 . 2009-02-05 19:15:19 0 d-----w- C:\Documents and Settings\All Users\Application Data\VMware
2009-07-03 16:48:39 . 2008-10-12 18:45:53 0 d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
2009-07-02 23:03:41 . 2009-04-10 11:55:51 0 d-----w- C:\Program Files\LogMeIn
2009-07-01 21:59:43 . 2009-06-02 14:42:01 117760 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-01 06:03:46 . 2008-07-03 07:59:48 0 d-----w- C:\Documents and Settings\All Users\Application Data\avg8
2009-06-30 16:59:13 . 2009-06-19 13:30:36 314712 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-30 16:59:12 . 2009-06-19 13:30:33 25440 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-30 16:59:11 . 2009-06-19 13:30:33 169312 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 16:59:10 . 2009-06-19 13:30:31 348496 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 16:59:08 . 2009-06-19 13:30:30 298336 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 16:59:07 . 2009-05-26 23:33:49 84832 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 16:59:06 . 2009-06-19 13:30:28 1630560 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-30 16:59:01 . 2009-05-26 23:33:29 246128 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 16:59:00 . 2009-06-19 13:30:23 85352 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 16:59:00 . 2009-05-26 23:33:28 40288 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 16:58:58 . 2009-06-19 13:30:22 664424 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-30 16:58:56 . 2009-06-19 13:30:19 563064 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 16:58:54 . 2009-06-19 13:30:17 566632 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 16:58:51 . 2009-06-19 13:30:15 2352968 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-30 16:58:47 . 2009-06-19 13:30:11 629072 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 16:58:44 . 2009-06-19 13:30:09 520024 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 16:58:42 . 2009-06-19 13:30:07 1029456 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 12:37:26 . 2008-07-02 21:42:59 81192 -c--a-w- C:\Documents and Settings\Billy Corcoran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 15:33:17 . 2009-05-19 16:49:48 0 d-----w- C:\Program Files\TechSmith
2009-06-29 15:33:16 . 2009-05-19 16:49:49 0 d-----w- C:\Documents and Settings\All Users\Application Data\TechSmith
2009-06-26 02:36:32 . 2008-07-03 08:17:44 0 d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-25 12:05:19 . 2008-10-19 22:13:32 0 d-----w- C:\Program Files\SUPERAntiSpyware
2009-06-24 22:05:17 . 2009-06-02 14:56:06 410984 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-06-24 21:07:08 . 2008-07-03 10:42:58 0 d-----w- C:\Program Files\MSECACHE
2009-06-24 18:41:57 . 2009-03-04 21:06:59 0 d-----w- C:\Program Files\HyCam2
2009-06-24 17:07:56 . 2009-05-25 14:21:42 0 d-----r- C:\Program Files\Skype
2009-06-24 17:07:54 . 2008-07-03 23:25:11 0 d-----w- C:\Documents and Settings\All Users\Application Data\Skype
2009-06-20 13:29:56 . 2008-07-03 07:59:49 0 d-----w- C:\Program Files\AVG
2009-06-20 10:29:55 . 2009-05-18 19:21:46 0 d-----w- C:\Program Files\NCH Swift Sound
2009-06-19 20:19:23 . 2008-10-12 17:25:34 0 d-----w- C:\Program Files\IObit
2009-06-19 16:25:11 . 2008-10-29 00:37:12 0 d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2009-06-17 10:27:56 . 2008-10-29 00:37:13 38160 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27:44 . 2008-10-29 00:37:13 19096 -c--a-w- C:\WINDOWS\system32\drivers\mbam.sys
2009-06-02 15:20:59 . 2008-07-03 23:31:36 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\skypePM
2009-06-02 15:05:59 . 2009-06-02 15:05:59 0 d-----w- C:\Program Files\Common Files\Adobe AIR
2009-06-02 14:41:15 . 2009-04-30 23:38:13 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com
2009-06-02 14:39:46 . 2008-07-03 08:11:04 0 d-----w- C:\Program Files\Common Files\Wise Installation Wizard
2009-06-02 14:31:46 . 2009-06-02 14:31:46 0 d-----w- C:\Program Files\Common Files\xing shared
2009-06-02 14:31:27 . 2008-07-03 08:31:52 0 d-----w- C:\Program Files\Common Files\Real
2009-06-02 14:17:00 . 2009-06-02 14:16:05 0 d-----w- C:\Program Files\QuickTime
2009-06-02 14:16:00 . 2008-09-21 23:01:29 0 d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2009-06-02 06:49:28 . 2009-02-05 20:25:30 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\VMware
2009-05-31 19:19:21 . 2009-05-30 11:09:33 0 d-----w- C:\Program Files\VMware
2009-05-28 17:35:13 . 2008-10-29 00:49:09 3371383 -c--a-w- C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 22:05:39 . 2009-05-27 22:05:39 390664 ----a-w- C:\Documents and Settings\Billy Corcoran\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-26 23:33:53 . 2009-05-26 23:33:53 15688 ----a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-26 23:33:53 . 2009-03-15 17:03:54 15688 -c--a-w- C:\WINDOWS\system32\lsdelete.exe
2009-05-25 13:35:54 . 2009-05-25 13:35:54 0 d-----w- C:\Program Files\MSBuild
2009-05-25 13:35:32 . 2009-05-25 13:35:32 0 d-----w- C:\Program Files\Reference Assemblies
2009-05-22 13:51:37 . 2009-03-02 00:29:31 0 d-----w- C:\Documents and Settings\All Users\Application Data\WinZip
2009-05-19 16:49:20 . 2009-01-24 17:06:04 0 d-----w- C:\Program Files\BlueVoda Website Builder
2009-05-19 15:31:14 . 2008-07-03 07:42:55 0 d-----w- C:\Program Files\Common Files\Adobe
2009-05-18 19:28:01 . 2009-05-18 19:28:01 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2009-05-18 19:21:46 . 2009-05-18 19:21:46 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\NCH Swift Sound
2009-05-16 16:15:12 . 2009-02-15 17:05:27 0 d-----w- C:\Program Files\HLPSTR
2009-05-16 15:27:50 . 2009-05-16 15:26:06 0 d-----w- C:\Program Files\NCH Software
2009-05-16 15:26:46 . 2009-05-16 15:26:46 0 d-----w- C:\Documents and Settings\All Users\Application Data\NCH Software
2009-05-16 15:22:16 . 2009-05-16 15:22:16 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\Search Settings
2009-05-16 15:14:06 . 2009-05-16 15:14:06 0 d-----w- C:\Program Files\Search Settings
2009-05-16 15:12:31 . 2009-05-16 15:12:26 0 d-----w- C:\Program Files\Free Audio Pack
2009-05-16 15:07:10 . 2009-05-16 15:07:10 0 d-----w- C:\Program Files\Flv2Mp3
2009-05-14 00:37:44 . 2009-05-14 00:37:30 0 d-----w- C:\Program Files\WAV to MP3 Encoder
2009-05-13 15:32:41 . 2009-02-23 23:22:42 0 d-----w- C:\Program Files\FlexiMusic Wave Editor
2009-05-13 15:12:35 . 2009-05-13 15:12:35 0 d-----w- C:\Program Files\Mp3 File Editor
2009-05-13 15:12:16 . 2009-05-13 15:12:35 286720 ----a-w- C:\WINDOWS\iun506.exe
2009-05-10 20:39:48 . 2009-05-10 14:30:16 0 d-----w- C:\Documents and Settings\Billy Corcoran\Application Data\Download Manager
2009-05-07 15:32:35 . 2003-03-31 12:00:00 345600 ----a-w- C:\WINDOWS\system32\localspl.dll
2009-04-29 04:56:02 . 2006-06-23 10:33:58 827392 ----a-w- C:\WINDOWS\system32\wininet.dll
2009-04-29 04:55:56 . 2009-05-25 13:24:38 78336 -c--a-w- C:\WINDOWS\system32\ieencode.dll
2009-04-23 17:43:25 . 2009-04-23 17:43:25 64160 -c--a-w- C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-23 17:43:25 . 2009-03-15 16:24:12 64160 -c--a-w- C:\WINDOWS\system32\drivers\Lbd.sys
2009-04-17 23:16:18 . 2009-04-17 23:16:13 6144 -c--a-w- C:\Documents and Settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2009-04-17 23:16:18 . 2009-04-17 23:16:13 22528 -c--a-w- C:\Documents and Settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2009-04-17 12:26:40 . 2003-03-31 12:00:00 1847168 ----a-w- C:\WINDOWS\system32\win32k.sys
2009-04-15 14:51:25 . 2004-03-06 02:16:11 585216 ----a-w- C:\WINDOWS\system32\rpcrt4.dll
2009-04-11 15:01:03 . 2009-04-11 15:01:03 388000 -c--a-w- C:\WINDOWS\system32\drivers\timntr.sys
2009-04-11 15:01:03 . 2009-04-11 15:01:03 32288 -c--a-w- C:\WINDOWS\system32\drivers\tifsfilt.sys
2009-04-11 15:00:53 . 2009-04-11 15:00:53 99776 -c--a-w- C:\WINDOWS\system32\drivers\snapman.sys
2009-02-24 19:34:32 . 2009-02-24 19:34:32 1044480 -c--a-w- C:\Program Files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34:32 . 2009-02-24 19:34:32 200704 -c--a-w- C:\Program Files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 04:42:18 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vsc32cnf.exe"="C:\Program Files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 02:02:44 36864]
"vscvol.exe"="C:\Program Files\Roland\VSC32\vscvol.exe" [2000-02-08 22:19:48 36864]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 16:58:44 520024]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 17:46:10 63048]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-07-28 14:19:00 4841472]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2009-06-20 13:30:11 1948440]
"ThreatFire"="C:\Program Files\ThreatFire\TFTray.exe" [2009-06-19 20:37:21 259344]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 23:10:22 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

C:\Documents and Settings\Billy Corcoran\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-8-29 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 09:13:36 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05:34 356352 ----a-w- C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 13:30:58 11952 ----a-w- C:\WINDOWS\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35:38 87352 ----a-w- C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"=vscapi.dll
"WAVE3"=vscapi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=
"C:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 hotcore3;hc3ServiceName;C:\WINDOWS\system32\drivers\hotcore3.sys [25/06/2009 17:10:44 40464]
R0 Lbd;Lbd;C:\WINDOWS\system32\drivers\Lbd.sys [15/03/2009 17:24:12 64160]
R0 PCTCore;PCTools KDS;C:\WINDOWS\system32\drivers\PCTCore.sys [25/06/2009 15:47:38 130936]
R0 TfFsMon;TfFsMon;C:\WINDOWS\system32\drivers\TfFsMon.sys [22/06/2009 07:16:57 51984]
R0 TfSysMon;TfSysMon;C:\WINDOWS\system32\drivers\TfSysMon.sys [22/06/2009 07:16:57 46864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\drivers\avgldx86.sys [20/06/2009 14:30:50 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\drivers\avgtdix.sys [20/06/2009 14:30:57 108552]
R1 SASDIFSV;SASDIFSV;C:\Program Files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05:54 9968]
R1 SASKUTIL;SASKUTIL;C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05:52 72944]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 14:29:59 298776]
R2 ComodoBackupService;ComodoBackupService;C:\Program Files\Comodo\BackUp\CmdBkSvc.exe [27/11/2008 18:13:56 1023488]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06:55 1029456]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46:12 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [10/04/2009 12:56:34 47640]
R2 RVIEGVST;VSC VST Engine;C:\Program Files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [13/08/2008 23:25:19 188276]
R2 ThreatFire;ThreatFire;C:\Program Files\ThreatFire\TFService.exe service --> C:\Program Files\ThreatFire\TFService.exe service [?]
R2 vmci;VMware vmci;C:\WINDOWS\system32\drivers\vmci.sys [26/03/2009 22:58:38 54960]
R3 TfNetMon;TfNetMon;C:\WINDOWS\system32\drivers\TfNetMon.sys [22/06/2009 07:16:57 33552]
R3 vsc32;Virtual Sound Canvas 3.2;C:\WINDOWS\system32\drivers\vsc.sys [13/08/2008 23:23:11 951284]
S3 MEMSWEEP2;MEMSWEEP2;C:\WINDOWS\system32\77.tmp [25/06/2009 14:15:36 5760]
S3 SASENUM;SASENUM;C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05:56 7408]
S3 sdAuxService;PC Tools Auxiliary Service;C:\Program Files\Spyware Doctor\pctsAuxs.exe [25/06/2009 15:47:16 348752]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job
- C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06:56 . 2009-06-30 16:58:54]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ie/
IE: E&xport to Microsoft Excel - C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
LSP: C:\Program Files\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - C:\Documents and Settings\Billy Corcoran\Application Data\Mozilla\Firefox\Profiles\e22nb6s4.default\
FF - component: C:\Program Files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: C:\Program Files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: C:\Documents and Settings\Billy Corcoran\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: F:\DivX\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: F:\DivX\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
C:\Program Files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 4th, 2009, 6:49 am

Hi
I'm afraid that log is still not complete. If it is too large for one post you may have to split it over a couple of replies.
Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 4th, 2009, 9:33 am

Hi

I have double checked the Combofix folder on C: and the log is the same as the one i sent to you. just after Combofix put up the dialogue box to say that the scan was complete, my desktop icons disappeared, (and taskbar), then i got the dreaded blue screen, something obviously happened and my OS didn't like it. i sent you the error codes in the post before last. Perhaps Comofix didn't finish the scan properly? Do you know why my PC reacted in this way?

Billy
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby BillyC » July 4th, 2009, 11:06 am

Should i run Combofix again?
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 4th, 2009, 7:32 pm

Hello BillyC
Apologies for the late reply. Was seeking some advice from the makers of ComboFix.
Possible cause of the BSOD is the multiple Anti-virus & Anti-spyware programs conflicting with ComboFix:

AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

Uninstall one of them, disable the other then run ComboFix again & post the log.

Thanks
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 5th, 2009, 9:14 am

Hi JMW3,

No problem, i'm sure you have too much to do as it is.

I have run Combofix again and got the complete log this time. Strangely enough Combofix reports that AVG is active, even though i have completely uninstalled the program!!
Also i notice that ComboFix has removed my SuperAntiSpyware shortcut, but didn't touch the program. It has also removed parts of the SmitFraudFix program......False Positives??

Anyway here's the long awaited log :-)

ComboFix 09-07-04.05 - Billy Corcoran 05/07/2009 13:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.2047.1549 [GMT 1:00]
Running from: c:\documents and settings\Billy Corcoran\Desktop\CleanUp\ComboFix.exe
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Billy Corcoran\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
c:\windows\Installer\11b7bca.msi
c:\windows\Installer\14cb40.msi
c:\windows\Installer\3b027.msi
c:\windows\Installer\491d5e.msi
c:\windows\Installer\c14031.msi
c:\windows\jestertb.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-05 to 2009-07-05 )))))))))))))))))))))))))))))))
.

2009-07-04 16:39 . 2009-07-05 12:12 -------- d-----w- c:\program files\Cobian Backup 9
2009-07-03 09:42 . 2009-07-03 09:42 -------- d--h--w- c:\windows\PIF
2009-06-30 12:40 . 2009-06-30 12:40 -------- d-----w- c:\documents and settings\Billy Corcoran\Tracing
2009-06-30 12:34 . 2009-06-30 12:34 -------- d-----w- c:\program files\Microsoft
2009-06-30 12:33 . 2009-06-30 12:33 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-06-30 12:33 . 2009-06-30 12:34 -------- d-----w- c:\program files\Windows Live
2009-06-30 12:22 . 2009-06-30 12:22 -------- d-----w- c:\program files\Common Files\Windows Live
2009-06-30 12:01 . 2009-06-30 12:01 -------- d-----w- c:\program files\filehippo.com
2009-06-28 21:16 . 2009-06-28 21:16 -------- d-----w- c:\program files\Trend Micro
2009-06-25 16:10 . 2008-06-28 01:42 40464 ----a-w- c:\windows\system32\drivers\hotcore3.sys
2009-06-25 16:09 . 2009-06-25 16:09 -------- d-----w- c:\program files\Paragon Software
2009-06-25 15:20 . 2009-06-25 15:20 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-25 15:20 . 2009-02-15 23:10 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-25 15:20 . 2009-02-15 23:10 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-25 15:20 . 2009-02-15 23:10 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-25 15:19 . 2009-06-25 15:20 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-25 15:19 . 2009-06-25 15:19 -------- d-----w- c:\program files\Zone Labs
2009-06-25 15:17 . 2009-07-05 12:21 -------- d-----w- c:\windows\Internet Logs
2009-06-25 14:47 . 2008-12-11 07:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-25 14:47 . 2009-06-25 15:06 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-25 14:47 . 2008-12-18 11:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-25 14:47 . 2009-06-25 14:57 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-25 14:47 . 2008-12-10 11:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-25 14:47 . 2009-07-02 16:52 -------- d-----w- c:\program files\Spyware Doctor
2009-06-25 14:47 . 2009-06-25 14:47 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\PC Tools
2009-06-25 12:48 . 2009-06-25 12:48 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-06-25 09:46 . 2009-06-25 09:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-24 22:04 . 2009-06-24 22:04 -------- d-----w- c:\program files\Java
2009-06-24 21:07 . 2009-06-24 21:07 3584 ----a-r- c:\documents and settings\Billy Corcoran\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-06-24 21:07 . 2009-06-24 21:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-06-24 20:32 . 2009-06-24 20:32 152576 ----a-w- c:\documents and settings\Billy Corcoran\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-24 19:43 . 2009-06-29 15:14 -------- d-----w- c:\program files\SpywareGuard
2009-06-24 19:24 . 2009-06-24 19:25 -------- d-----w- C:\MBtools.exe
2009-06-22 06:16 . 2009-06-19 20:37 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-06-22 06:16 . 2009-06-19 20:37 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-06-22 06:16 . 2009-06-19 20:37 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-06-22 06:16 . 2009-06-25 14:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-06-22 06:16 . 2009-06-24 21:36 -------- d-----w- c:\program files\ThreatFire
2009-06-20 17:22 . 2009-06-24 20:10 -------- d-----w- c:\program files\SpywareBlaster
2009-06-20 13:30 . 2009-06-20 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-20 13:30 . 2009-06-20 13:30 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-20 13:30 . 2009-07-01 06:25 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-20 13:30 . 2009-06-20 13:30 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-20 13:30 . 2009-07-05 11:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-19 20:19 . 2009-06-19 20:19 -------- d-----w- c:\documents and settings\All Users\Application Data\IObit
2009-06-19 12:42 . 2009-07-02 19:30 -------- d-----w- c:\program files\Enigma Software Group
2009-06-14 08:44 . 2009-06-14 08:50 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\TrueCrypt
2009-06-14 08:42 . 2009-06-30 12:20 217664 ----a-w- c:\windows\system32\drivers\truecrypt.sys
2009-06-14 08:42 . 2009-06-14 08:42 -------- d-----w- c:\program files\TrueCrypt
2009-06-10 12:25 . 2009-06-10 12:25 -------- d-----w- c:\program files\EZBackitup

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-05 12:22 . 2009-02-05 19:18 -------- d-----w- c:\documents and settings\LocalService\Application Data\VMware
2009-07-05 12:22 . 2008-10-12 18:45 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-05 12:22 . 2009-02-05 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2009-07-05 11:56 . 2008-07-03 07:59 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-07-05 11:47 . 2009-04-10 11:55 -------- d-----w- c:\program files\LogMeIn
2009-07-05 11:46 . 2009-07-05 11:46 600950 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-07-04 19:30 . 2009-07-05 11:46 1556480 ----a-w- c:\windows\Internet Logs\xDB2.tmp
2009-07-04 13:24 . 2008-07-03 08:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-04 03:00 . 2009-07-04 03:01 1547776 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-07-01 21:59 . 2009-06-02 14:42 117760 ----a-w- c:\documents and settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-30 16:59 . 2009-06-19 13:30 314712 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\threatwork.exe
2009-06-30 16:59 . 2009-06-19 13:30 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-06-30 16:59 . 2009-06-19 13:30 169312 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavamessage.dll
2009-06-30 16:59 . 2009-06-19 13:30 348496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lavalicense.dll
2009-06-30 16:59 . 2009-06-19 13:30 298336 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\UpdateManager.dll
2009-06-30 16:59 . 2009-05-26 23:33 84832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\ShellExt.dll
2009-06-30 16:59 . 2009-06-19 13:30 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-06-30 16:59 . 2009-05-26 23:33 246128 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\RPAPI.dll
2009-06-30 16:59 . 2009-06-19 13:30 85352 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\AAWDriverTool.exe
2009-06-30 16:59 . 2009-05-26 23:33 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\PrivacyClean.dll
2009-06-30 16:58 . 2009-06-19 13:30 664424 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\CEAPI.dll
2009-06-30 16:58 . 2009-06-19 13:30 563064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareCommand.exe
2009-06-30 16:58 . 2009-06-19 13:30 566632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-AwareAdmin.exe
2009-06-30 16:58 . 2009-06-19 13:30 2352968 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-30 16:58 . 2009-06-19 13:30 629072 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWWSC.exe
2009-06-30 16:58 . 2009-06-19 13:30 520024 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWTray.exe
2009-06-30 16:58 . 2009-06-19 13:30 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AAWService.exe
2009-06-30 12:37 . 2008-07-02 21:42 81192 -c--a-w- c:\documents and settings\Billy Corcoran\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 15:33 . 2009-05-19 16:49 -------- d-----w- c:\program files\TechSmith
2009-06-29 15:33 . 2009-05-19 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-06-25 12:05 . 2008-10-19 22:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-24 22:05 . 2009-06-02 14:56 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-24 21:07 . 2008-07-03 10:42 -------- d-----w- c:\program files\MSECACHE
2009-06-24 18:41 . 2009-03-04 21:06 -------- d-----w- c:\program files\HyCam2
2009-06-24 17:07 . 2009-05-25 14:21 -------- d-----r- c:\program files\Skype
2009-06-24 17:07 . 2008-07-03 23:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-06-20 13:29 . 2008-07-03 07:59 -------- d-----w- c:\program files\AVG
2009-06-20 10:29 . 2009-05-18 19:21 -------- d-----w- c:\program files\NCH Swift Sound
2009-06-19 20:19 . 2008-10-12 17:25 -------- d-----w- c:\program files\IObit
2009-06-19 16:25 . 2008-10-29 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-17 10:27 . 2008-10-29 00:37 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 10:27 . 2008-10-29 00:37 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-06-02 15:20 . 2008-07-03 23:31 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\skypePM
2009-06-02 15:05 . 2009-06-02 15:05 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-02 14:41 . 2009-04-30 23:38 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\SUPERAntiSpyware.com
2009-06-02 14:39 . 2008-07-03 08:11 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-02 14:31 . 2009-06-02 14:31 -------- d-----w- c:\program files\Common Files\xing shared
2009-06-02 14:31 . 2008-07-03 08:31 -------- d-----w- c:\program files\Common Files\Real
2009-06-02 14:17 . 2009-06-02 14:16 -------- d-----w- c:\program files\QuickTime
2009-06-02 14:16 . 2008-09-21 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-02 06:49 . 2009-02-05 20:25 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\VMware
2009-05-31 19:19 . 2009-05-30 11:09 -------- d-----w- c:\program files\VMware
2009-05-28 17:35 . 2008-10-29 00:49 3371383 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-27 22:05 . 2009-05-27 22:05 390664 ----a-w- c:\documents and settings\Billy Corcoran\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-26 23:33 . 2009-05-26 23:33 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\lsdelete.exe
2009-05-26 23:33 . 2009-03-15 17:03 15688 -c--a-w- c:\windows\system32\lsdelete.exe
2009-05-25 13:35 . 2009-05-25 13:35 -------- d-----w- c:\program files\MSBuild
2009-05-25 13:35 . 2009-05-25 13:35 -------- d-----w- c:\program files\Reference Assemblies
2009-05-22 13:51 . 2009-03-02 00:29 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-05-19 16:49 . 2009-01-24 17:06 -------- d-----w- c:\program files\BlueVoda Website Builder
2009-05-19 15:31 . 2008-07-03 07:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-18 19:28 . 2009-05-18 19:28 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-18 19:21 . 2009-05-18 19:21 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\NCH Swift Sound
2009-05-16 16:15 . 2009-02-15 17:05 -------- d-----w- c:\program files\HLPSTR
2009-05-16 15:27 . 2009-05-16 15:26 -------- d-----w- c:\program files\NCH Software
2009-05-16 15:26 . 2009-05-16 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-05-16 15:22 . 2009-05-16 15:22 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\Search Settings
2009-05-16 15:14 . 2009-05-16 15:14 -------- d-----w- c:\program files\Search Settings
2009-05-16 15:12 . 2009-05-16 15:12 -------- d-----w- c:\program files\Free Audio Pack
2009-05-16 15:07 . 2009-05-16 15:07 -------- d-----w- c:\program files\Flv2Mp3
2009-05-14 00:37 . 2009-05-14 00:37 -------- d-----w- c:\program files\WAV to MP3 Encoder
2009-05-13 15:32 . 2009-02-23 23:22 -------- d-----w- c:\program files\FlexiMusic Wave Editor
2009-05-13 15:12 . 2009-05-13 15:12 -------- d-----w- c:\program files\Mp3 File Editor
2009-05-13 15:12 . 2009-05-13 15:12 286720 ----a-w- c:\windows\iun506.exe
2009-05-10 20:39 . 2009-05-10 14:30 -------- d-----w- c:\documents and settings\Billy Corcoran\Application Data\Download Manager
2009-05-07 15:32 . 2003-03-31 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2006-06-23 10:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2009-05-25 13:24 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-04-23 17:43 . 2009-04-23 17:43 64160 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Drivers\32\lbd.sys
2009-04-23 17:43 . 2009-03-15 16:24 64160 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2009-04-17 23:16 . 2009-04-17 23:16 6144 -c--a-w- c:\documents and settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10001.dll
2009-04-17 23:16 . 2009-04-17 23:16 22528 -c--a-w- c:\documents and settings\Administrator.BILLY-68792BBDT\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10000.dll
2009-04-17 12:26 . 2003-03-31 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-03-06 02:16 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-11 15:01 . 2009-04-11 15:01 388000 -c--a-w- c:\windows\system32\drivers\timntr.sys
2009-04-11 15:01 . 2009-04-11 15:01 32288 -c--a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-04-11 15:00 . 2009-04-11 15:00 99776 -c--a-w- c:\windows\system32\drivers\snapman.sys
2009-02-24 19:34 . 2009-02-24 19:34 1044480 -c--a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 -c--a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-03_17.34.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 12:22 . 2009-07-05 12:22 16384 c:\windows\Temp\Perflib_Perfdata_8b0.dat
+ 2009-07-05 12:22 . 2009-07-05 12:22 16384 c:\windows\Temp\Perflib_Perfdata_590.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vsc32cnf.exe"="c:\program files\Roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"vscvol.exe"="c:\program files\Roland\VSC32\vscvol.exe" [2000-02-08 36864]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-30 520024]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-07-28 4841472]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Billy Corcoran\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless USB Utility.lnk - c:\program files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2005-10-28 1404928]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-20 13:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 19:35 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI2"=vscapi.dll
"WAVE3"=vscapi.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Packet Tracer 5.1\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [25/06/2009 17:10 40464]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [15/03/2009 17:24 64160]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [25/06/2009 15:47 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [22/06/2009 07:16 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [22/06/2009 07:16 46864]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [20/06/2009 14:30 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [20/06/2009 14:30 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 72944]
R2 ComodoBackupService;ComodoBackupService;c:\program files\Comodo\BackUp\CmdBkSvc.exe [27/11/2008 18:13 1023488]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [24/07/2008 18:46 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [10/04/2009 12:56 47640]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [13/08/2008 23:25 188276]
R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [26/03/2009 22:58 54960]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [22/06/2009 07:16 33552]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\system32\drivers\vsc.sys [13/08/2008 23:23 951284]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [20/06/2009 14:29 298776]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 MEMSWEEP2;MEMSWEEP2;c:\windows\system32\77.tmp [25/06/2009 14:15 5760]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [25/06/2009 15:47 348752]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-06-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.ie/
IE: E&xport to Microsoft Excel - c:\progra~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
FF - ProfilePath - c:\documents and settings\Billy Corcoran\Application Data\Mozilla\Firefox\Profiles\e22nb6s4.default\
FF - component: c:\program files\Mozilla Firefox\extensions\search@searchsettings.com\components\SearchSettingsFF.dll
FF - plugin: c:\documents and settings\Billy Corcoran\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: f:\divx\DivX Player\npDivxPlayerPlugin.dll
FF - plugin: f:\divx\DivX Web Player\npdivx32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 13:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\77.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1016)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\LMIinit.dll
c:\program files\ThreatFire\TFWAH.dll
c:\program files\ThreatFire\TFNI.dll
c:\program files\ThreatFire\TFMon.dll
c:\program files\ThreatFire\TFRK.dll
c:\windows\system32\ac3filter.acm
c:\windows\system32\sirenacm.dll

- - - - - - - > 'lsass.exe'(1072)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'explorer.exe'(1700)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-07-05 13:40
ComboFix-quarantined-files.txt 2009-07-05 12:38

Pre-Run: 27,786,387,456 bytes free
Post-Run: 27,771,359,232 bytes free

365 --- E O F --- 2009-07-01 06:29
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top

Re: Am i still infected?

Unread postby jmw3 » July 5th, 2009, 10:56 am

Hello BillyC

Hi
Strangely enough Combofix reports that AVG is active, even though i have completely uninstalled the program!!
Looks as though it is still registered in the WMI. We'll get rid of it.

I see you have Advanced SystemCare 3. Some interesting reading here regarding this program:
http://www.brighthub.com/computing/smb- ... 30034.aspx
http://www.vistax64.com/software/224431 ... e-3-a.html
Personally I wouldn't have it near any of my computers. Use it with caution.

Fix HiJackThis Entries
  • Open HiJackThis
  • Click on Do a system scan only
  • Place a checkmark next to these lines(if still present):
R3 - URLSearchHook: (no name) - {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - (no file)
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present <----- Fix if you did not set yourself
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present <----- Fix if you did not set yourself

  • Close all windows except Hijackthis and click Fix Checked
  • Click Yes when prompted
  • Close HijackThis.
CFScript
Close any open browsers.
Open notepad and copy/paste the text in the code box below into it:

Code: Select all
SecCenter::
AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
Driver::
ASKService
Folder::
C:\Program Files\AskBarDis
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000

Save this as CFScript.txt, in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

TFC (Temp File Cleaner)
Download TFC (Temp File Cleaner) by Old Timer Here & save it to your desktop.
  • Save any unsaved work. TFC Cleaner will close all open application windows
  • Double-click TFC.exe to run the program, your desktop will temporarily disappear
  • If prompted, click Yes to reboot
Note: Save your work.. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take any longer than a couple of minutes & may only take a few seconds. Only if needed will you be prompted to reboot.

Kaspersky Online Scan
Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply
To post in next reply:
ComboFix log
Kaspersky Scan log
New HijackThis log
User avatar
jmw3
MRU Emeritus
MRU Emeritus
 
Posts: 4621
Joined: February 12th, 2008, 2:36 am
Location: Port Hedland, Western Australia
Top

Re: Am i still infected?

Unread postby BillyC » July 5th, 2009, 9:03 pm

Hello Jmw3
I am having a problem when i drag the CFScript.exe nto ComboFix. I have attached a screenshot of the error and it pretty much explains the problem.
No problems with the Kaspersky scan and the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:22:49, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roland\VSC32\vsc32cnf.exe
C:\Program Files\Roland\VSC32\vscvol.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [vsc32cnf.exe] C:\Program Files\Roland\VSC32\vsc32cnf.exe
O4 - HKLM\..\Run: [vscvol.exe] C:\Program Files\Roland\VSC32\vscvol.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware player\vsocklib.dll
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - http://dlm.tools.akamai.com/dlmanager/v ... .2.4.1.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ComodoBackupService - COMODO - C:\Program Files\Comodo\BackUp\CmdBkSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Player\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7793 bytes


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, July 6, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, July 05, 2009 19:44:48
Records in database: 2429988
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 183667
Threat name: 4
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 04:56:08


File name / Threat name / Threats count
C:\MBtools.exe\MGtools.exe Infected: Trojan-Dropper.Win32.Agent.auzs 1
F:\All Mp3\MP3\limewire songs\02 Track 2 (searchers-love).wma Infected: Trojan-Downloader.WMA.Wimad.k 1
F:\My Documents\computer stuff\Home File Server\tightvnc-1.3.10-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
F:\My Documents\My Music\My Music\MP3 Drive\BOBBY DARIN\beyond the sea karaoke MTV.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1
F:\My Documents\My Music\My Music\MP3 Drive\limewire songs\02 Track 2 (searchers-love).wma Infected: Trojan-Downloader.WMA.Wimad.k 1

The selected area was scanned.
You do not have the required permissions to view the files attached to this post.
BillyC
Regular Member
 
Posts: 17
Joined: June 29th, 2009, 5:39 am
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 525 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index