Free Malware Removal Forum

by **eah** » June 13th, 2009, 12:44 pm

I tried the help of another anti virus software "tech help". All that got me was insulted. They kept saying I wasn't doing what they said because files remained on my Hijack this log. Now one of the sign ons is not usuable and the others I have to use Task manager to get any icons or start button. I need to get rid of this virus and fix the user settings on my computer.

Here is my Hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:21:23 PM, on 6/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O1 - Hosts: 63.119.44.200 http://www.powerearnings.com
O2 - BHO: (no name) - {44346018-577A-4052-AE22-E8F3DD307155} - c:\windows\system32\rkfmxnr.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [1803] C:\rsbqbni.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [EPSON Stylus NX400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEGA.EXE /FU "C:\WINDOWS\TEMP\E_S62.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/ins ... utions.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/ext ... utside.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O20 - Winlogon Notify: flyctwyp - C:\WINDOWS\SYSTEM32\rkfmxnr.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON V5 Service4(01) (epson_eb_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (epson_pm_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9785 bytes

by **Rodav** » June 16th, 2009, 3:39 pm

Hello!

and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1:
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt along with a new HijackThis log in your next reply for further review.

by **eah** » June 16th, 2009, 6:16 pm

Combofix log
ComboFix 09-06-16.01 - EARL 06/16/2009 17:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.312 [GMT -4:00]
Running from: c:\documents and settings\EARL\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\EARL\Application Data\ioauwegt
c:\documents and settings\EARL\Local Settings\Application Data\ioauwegt
c:\documents and settings\NetworkService\Application Data\ioauwegt
c:\documents and settings\NetworkService\Local Settings\Application Data\ioauwegt
c:\windows\Adventure Inlay.scr
c:\windows\Tasks\At1.job
c:\documents and settings\EARL\Application Data\ioauwegt\profiles.ini
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\cert8.db
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\compatibility.ini
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\compreg.dat
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\cookies.sqlite
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\formhistory.sqlite
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\key3.db
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\localstore.rdf
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\permissions.sqlite
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\places.sqlite
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\places.sqlite-journal
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\pluginreg.dat
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\prefs.js
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\secmod.db
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\webappsstore.sqlite
c:\documents and settings\EARL\Application Data\ioauwegt\Profiles\xxpb9mfw.default\xpti.dat
c:\documents and settings\EARL\Local Settings\Application Data\ioauwegt\Profiles\xxpb9mfw.default\urlclassifier3.sqlite
c:\documents and settings\EARL\Local Settings\Application Data\ioauwegt\Profiles\xxpb9mfw.default\XPC.mfl
c:\documents and settings\NetworkService\Application Data\ioauwegt\profiles.ini
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\cert8.db
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\compatibility.ini
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\compreg.dat
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\cookies.sqlite
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\formhistory.sqlite
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\key3.db
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\localstore.rdf
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\permissions.sqlite
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\places.sqlite
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\places.sqlite-journal
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\pluginreg.dat
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\prefs.js
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\secmod.db
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\webappsstore.sqlite
c:\documents and settings\NetworkService\Application Data\ioauwegt\Profiles\baixewl8.default\xpti.dat
c:\documents and settings\NetworkService\Local Settings\Application Data\ioauwegt\Profiles\baixewl8.default\urlclassifier3.sqlite
c:\documents and settings\NetworkService\Local Settings\Application Data\ioauwegt\Profiles\baixewl8.default\XPC.mfl
C:\rsbqbni.exe
c:\windows\9g234sdfdfgjf23
c:\windows\asetizoyiziyemam.dll
c:\windows\egaqunuhogajimon.dll
c:\windows\idowotehokofata.dll
c:\windows\Install.txt
c:\windows\omenorix.dll
c:\windows\Readme.txt
c:\windows\system32\drivers\cvcpvdol.sys . . . . failed to delete
c:\windows\system32\drivers\xspbibhn.sys . . . . failed to delete
c:\windows\system32\Install.txt
c:\windows\system32\nfr.assembly
c:\windows\system32\rkfmxnr.dll . . . . failed to delete
c:\windows\system32\uhukkqi.dll . . . . failed to delete
c:\windows\system32\uniq.tll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_CVCPVDOL
-------\Legacy_dhcpsrv
-------\Legacy_msncache
-------\Legacy_ntalme
-------\Legacy_sopidkc
-------\Service_cvcpvdol

((((((((((((((((((((((((( Files Created from 2009-05-16 to 2009-06-16 )))))))))))))))))))))))))))))))
.

2009-06-16 03:18 . 2009-06-16 03:18 390664 ----a-w- c:\documents and settings\EARL\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-14 20:09 . 2009-06-14 20:09 -------- d-sh--w- c:\documents and settings\ERICA\PrivacIE
2009-06-14 20:08 . 2009-06-14 20:08 -------- d-sh--w- c:\documents and settings\ERICA\IETldCache
2009-06-14 18:41 . 2009-06-14 18:44 -------- dc-h--w- c:\windows\ie8
2009-06-14 15:00 . 2009-06-14 15:00 -------- d-sh--w- c:\documents and settings\EARL\IECompatCache
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-sh--w- c:\documents and settings\EARL\PrivacIE
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-sh--w- c:\documents and settings\EARL\IETldCache
2009-06-14 14:41 . 2009-06-14 14:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 14:40 . 2009-06-14 14:40 -------- d-sh--w- c:\documents and settings\LISA\PrivacIE
2009-06-14 14:40 . 2009-06-14 14:40 -------- d-sh--w- c:\documents and settings\LISA\IECompatCache
2009-06-14 14:36 . 2009-06-14 14:36 -------- d-sh--w- c:\documents and settings\LISA\IETldCache
2009-06-14 06:37 . 2009-06-14 06:37 -------- d-----w- c:\documents and settings\LISA\Local Settings\Application Data\Mozilla
2009-06-14 02:45 . 2009-06-14 02:47 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-14 02:02 . 2009-06-14 02:02 -------- d-----w- C:\VundoFix Backups
2009-06-14 01:34 . 2009-06-14 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-06-14 01:34 . 2009-06-14 01:36 -------- d-----w- c:\program files\PCPitstop
2009-06-13 18:42 . 2009-06-13 18:42 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 18:42 . 2009-06-13 18:42 -------- d-----w- c:\documents and settings\EARL\Local Settings\Application Data\Mozilla
2009-06-04 20:36 . 2009-06-04 22:03 -------- d-----w- c:\documents and settings\ERICA\Local Settings\Application Data\king.com
2009-06-03 02:52 . 2009-06-03 02:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-02 02:39 . 2009-06-02 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-06-01 23:12 . 2009-06-03 02:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-01 23:12 . 2009-06-01 23:12 -------- d-----w- c:\documents and settings\EARL\Application Data\SUPERAntiSpyware.com
2009-06-01 22:20 . 2009-06-03 02:52 -------- d-----w- c:\program files\Windows Defender
2009-05-31 14:38 . 2009-05-31 14:38 -------- d-----w- c:\documents and settings\ERICA\Application Data\Malwarebytes
2009-05-31 02:15 . 2009-05-31 02:15 -------- d-----w- c:\documents and settings\EARL\Application Data\Malwarebytes
2009-05-30 19:35 . 2009-05-30 19:35 -------- d-----w- c:\windows\system32\Internet Explorer
2009-05-30 15:38 . 2009-05-30 15:38 -------- d-----w- c:\documents and settings\LISA\Application Data\Malwarebytes
2009-05-30 15:37 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 15:37 . 2009-05-30 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 15:37 . 2009-05-30 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 15:37 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 13:25 . 2009-05-30 13:25 -------- d-----w- c:\program files\MSBuild
2009-05-30 05:41 . 2009-05-30 05:41 155648 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bonuspaigowpoker.7a255497429caa23df774f47d3465136.dll
2009-05-30 05:39 . 2009-05-30 05:39 385024 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bonusblackjack.dab6343a296b066bd5fe18d7c7d9940f.dll
2009-05-30 05:36 . 2009-05-30 05:36 483600 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hilowbonus_tggg.10cdcb3e64c301c60db4d11d2d7781a4.dll
2009-05-30 05:36 . 2009-05-30 05:36 446736 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hilowbonus.ecf70c1bd892c000f22ce30d5b0ba784.dll
2009-05-30 05:24 . 2009-05-30 05:24 421888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.4f93c8cce0c64b200821a73dd29068f6.dll
2009-05-30 05:24 . 2009-05-30 05:24 594192 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\snakesandladdersbonus.1b7d7437b87cc53b7a00c4efd2db679d.dll
2009-05-30 05:23 . 2009-05-30 05:23 61440 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\tikimaskbonusgame.0dc1c149f619ef0a72aacd3abdeb0dfb.dll
2009-05-30 05:23 . 2009-05-30 05:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\volcanobonusgame.1f5cd5f4b800bd1a6e740e08a3119e10.dll
2009-05-30 05:23 . 2009-05-30 05:23 213089 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bigkahuna.769fd4a48b95c8614a738f1cad88bcd5.dll
2009-05-30 05:17 . 2009-05-30 05:17 430352 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofyskillbonus.8d56aeea91f0d0bbdf41c578fbf38496.dll
2009-05-30 05:11 . 2009-05-30 05:11 376832 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\atlanticcityblackjack.9baef784fe666fb9d90dc331d0239eed.dll
2009-05-30 05:04 . 2009-05-30 05:04 561424 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_tggg.ca9a61a09a35dc0843cc68f532694746.dll
2009-05-30 05:04 . 2009-05-30 05:04 495888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus.aa7eb4e3b4774e5cad0d4f8562ca860d.dll
2009-05-30 05:04 . 2009-05-30 05:04 233744 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_temp.b6b7e588aedb05fa062fb8447406bca9.dll
2009-05-30 05:03 . 2009-05-30 05:03 114688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokergambleplugin.d65fe35ffb2e6dc1b9ea46def3db39dc.dll
2009-05-30 05:03 . 2009-05-30 05:03 290941 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokerxxx.0d52d2ac00db83d9b97c99592ee3aa21.dll
2009-05-30 05:03 . 2009-05-30 05:03 139264 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokerplugin.d3ee60c36507413ca9ab67247eac5288.dll
2009-05-30 05:02 . 2009-05-30 05:02 237840 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\powerpokersuite1_nl.cebfe8812d984716506c6d9d096a5f48.dll
2009-05-30 05:01 . 2009-05-30 05:01 217360 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\videopokersuite1.03dd648f567bef124a1d270ad208752a.dll
2009-05-30 05:00 . 2009-05-30 05:00 200704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\3\3cardpoker.8e73a522a397f174eb628d05f72f1f40.dll
2009-05-30 04:59 . 2009-05-30 04:59 32834 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_baccarat.a090413d6195a12421945ded5707d93f.dll
2009-05-30 04:57 . 2009-05-30 04:57 368912 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikexxx.f6ecb9684e1be3d30a84d6ce47725e8a.dll
2009-05-30 04:57 . 2009-05-30 04:57 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikeslot.263bf62c0114cead1f4829bc52d84b9f.dll
2009-05-30 04:57 . 2009-05-30 04:57 151824 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikebonus.352846d26cf4c594dafc9b9ea0b478be.dll
2009-05-30 04:55 . 2009-05-30 04:55 110864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_3reelnormal1_2.6d58a1bcaf1d9165fa0b77fa9598b623.dll
2009-05-30 04:55 . 2009-05-30 04:55 114960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_5reelnormal3_4_5.07db0a5618a0565d7bde7a2766c54711.dll
2009-05-30 04:54 . 2009-05-30 04:54 204905 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\thunderstruck.0cc1be68d215832fa06fc779c0b3e069.dll
2009-05-30 04:53 . 2009-05-30 04:53 114688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroroulette.fa2b524975a5d8bbc30203d094e2b084.dll
2009-05-30 04:51 . 2009-05-30 04:51 376832 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\europeanblackjack.cb403a5bad6b43e2910d2e09c35c47ed.dll
2009-05-30 04:51 . 2009-05-30 04:51 45056 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjackstrategy.9c188ef9cd6c03e5b4bd398d23041cd2.dll
2009-05-30 04:51 . 2009-05-30 04:51 229483 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjack.6c6f541acc24f3244c0a64fa851edca8.dll
2009-05-30 04:49 . 2009-05-30 04:49 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.e4ccb563efd75763602af7373fbd8cec.dll
2009-05-30 04:49 . 2009-05-30 04:49 303204 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.49e5f42fbdf0e1e2df5232e5ea419897.dll
2009-05-30 04:48 . 2009-05-30 04:48 327784 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fea1be7b63b308e9fdb6e8d4bd356052.dll
2009-05-30 04:43 . 2009-05-30 04:43 213264 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\c\choosebonus.df815bbfb8ae7a29a353f0ae65e4af17.dll
2009-05-30 04:43 . 2009-05-30 04:43 323856 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hitmancontractbonus.339a969d902930975b3194643e289fc9.dll
2009-05-30 04:40 . 2009-05-30 04:40 266512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_tggg.399218aff849d2e187d4554dd62a73b6.dll
2009-05-30 04:40 . 2009-05-30 04:40 262416 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_temp.c6aaf42b66fa6688c8ea18a671984287.dll
2009-05-30 04:40 . 2009-05-30 04:40 254224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition.26c3e2ce55c7cca8b63e5e8d7b4627e4.dll
2009-05-30 04:39 . 2009-05-30 04:39 524560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_tggg.f8ba0ccac248b6026b2705996790640a.dll
2009-05-30 04:39 . 2009-05-30 04:39 1904753 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_tggg.6e62948f458013fa99694cc031068e8a.dll
2009-05-30 04:39 . 2009-05-30 04:39 823568 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_temp2.198f2a88c7f89c1d0b1ded39e546e22b.dll
2009-05-30 04:39 . 2009-05-30 04:39 1249399 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_tggg.a33335318f7b89139ecd4652b6e8c4b9.dll
2009-05-30 04:39 . 2009-05-30 04:39 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_tggg.436ea9e59e2a2b9a2106e598920cba26.dll
2009-05-30 04:35 . 2009-05-30 04:35 413696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\menucore.9037a298ee3e59ea5a655d88569c2b77.dll
2009-05-29 20:44 . 2009-05-30 16:05 -------- d-----w- c:\windows\dhcp
2009-05-28 23:34 . 2009-05-28 23:34 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-27 20:49 . 2009-05-27 20:49 -------- d-----w- c:\program files\Trend Micro
2009-05-27 18:10 . 2009-06-03 02:37 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 18:10 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-05-27 18:10 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-05-27 18:10 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-27 18:09 . 2009-05-27 18:11 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-27 18:09 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-05-27 18:09 . 2009-05-27 18:11 -------- d-----w- c:\program files\Spyware Doctor
2009-05-27 18:09 . 2009-05-27 18:09 -------- d-----w- c:\documents and settings\ERICA\Application Data\PC Tools
2009-05-27 18:09 . 2009-05-27 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 21:45 . 2001-08-18 11:00 104448 ----a-w- c:\windows\system32\uhukkqi.dll
2009-06-16 21:45 . 2001-08-18 11:00 23424 ----a-w- c:\windows\system32\drivers\xspbibhn.sys
2009-06-16 00:43 . 2009-04-16 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:02 . 2008-07-08 22:21 33061 ----a-w- c:\windows\king-uninstall.exe
2009-06-02 00:31 . 2002-11-12 21:45 92024 ----a-w- c:\documents and settings\ERICA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 22:28 . 2002-11-10 23:26 92024 ----a-w- c:\documents and settings\EARL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 17:42 . 2003-07-03 01:27 92024 ----a-w- c:\documents and settings\LISA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 13:30 . 2007-04-04 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-30 13:25 . 2002-10-05 01:10 -------- d-----w- c:\program files\Microsoft Works
2009-05-30 04:13 . 2004-03-18 00:07 -------- d-----w- c:\documents and settings\LISA\Application Data\MSN6
2009-05-27 10:26 . 2002-10-05 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-27 00:32 . 2004-02-13 00:16 -------- d-----w- c:\documents and settings\ERICA\Application Data\Lycos
2009-05-26 23:31 . 2004-02-13 20:50 -------- d-----w- c:\documents and settings\EARL\Application Data\Lycos
2009-05-16 04:50 . 2009-05-16 04:50 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-16 04:50 . 2002-10-05 02:41 -------- d-----w- c:\program files\Common Files\Real
2009-04-16 04:01 . 2009-04-13 04:51 0 ----a-w- c:\windows\Wnewowa.bin
2009-04-14 22:33 . 2009-04-14 22:33 0 ----a-w- c:\windows\Wnewowa.binWnewowa.bin
2007-11-22 18:55 . 2007-11-22 18:55 436360 ----a-w- c:\program files\msgr8us.exe
2005-08-11 23:53 . 2005-08-11 23:53 1058352 ----a-w- c:\program files\tr1advinst.zip
1999-03-17 20:40 . 2004-09-24 02:17 48704 ----a-w- c:\program files\Same.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-16 198160]

c:\documents and settings\LISA\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"41435:TCP"= 41435:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/27/2009 2:10 PM 130936]
R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/30/2009 11:37 AM 194832]
R3 mbamprotector;mbamprotector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/30/2009 11:37 AM 19096]
S1 e422fce6;e422fce6;c:\windows\system32\drivers\e422fce6.sys --> c:\windows\system32\drivers\e422fce6.sys [?]
S2 fmiyrae;fmiyrae;c:\windows\System32\svchost.exe -k netsvcs [8/18/2001 7:00 AM 14336]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\SYSTEM32\spupdsvc.exe [10/22/2004 7:42 AM 26144]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/27/2009 2:09 PM 348752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CVCPVDOL
*Deregistered* - cvcpvdol

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fpqojinc
fmiyrae

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\Ad-aware 6.job
- c:\progra~1\Lavasoft\AD-AWA~1\Ad-aware.exe [2004-03-18 03:00]

2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-16 02:33]

2009-06-16 c:\windows\Tasks\Malwarebytes' Scheduled Scan for EARL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-30 17:20]

2009-06-16 c:\windows\Tasks\Malwarebytes' Scheduled Update for EARL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-30 17:20]

2009-06-12 c:\windows\Tasks\System Restore.job
- c:\windows\SYSTEM32\Restore\rstrui.exe [2004-01-01 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
HKLM-Run-1803 - C:\rsbqbni.exe

.
------- Supplementary Scan -------
.
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\devldr32.exe
c:\windows\SYSTEM32\CF13173.exe
.
**************************************************************************
.
Completion time: 2009-06-16 18:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-16 22:02

Pre-Run: 57,025,171,456 bytes free
Post-Run: 58,044,420,096 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

313 --- E O F --- 2009-05-29 17:48

Hijack this log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:07 PM, on 6/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/ins ... utions.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/ext ... utside.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {ffb3a759-98b1-446f-bda9-909c6eb18cc7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON V5 Service4(01) (epson_eb_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (epson_pm_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9353 bytes

by **Rodav** » June 17th, 2009, 9:46 am

Step 1:
1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\drivers\cvcpvdol.sys
c:\windows\system32\drivers\xspbibhn.sys
c:\windows\system32\rkfmxnr.dll
c:\windows\system32\uhukkqi.dll
c:\windows\system32\drivers\e422fce6.sys
Folder::
C:\VundoFix Backups
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Driver::
e422fce6
fmiyrae
CVCPVDOL
fpqojinc
NetSvc::
fpqojinc
fmiyrae
FileLook::
c:\program files\Same.exe

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Step 2:
Download RootRepeal.zip and unzip it to your Desktop.

Double click RootRepeal.exe to start the program
Click on the Report tab at the bottom of the program window
Clickthe Scan button
In the Select Scan dialog, check:
- Drivers
- Files
- Processes
- SSDT
- Stealth Objects
- Hidden Services
Click the OK button
In the next dialog, select all drives showing
Click OK to start the scan

The scan can take some time. DO NOT run any other programs while the scan is running
When the scan is complete, the Save Report button will become available
Click this and save the report to your Desktop as RootRepeal.txt
Go to File, then Exit to close the program

Step 3:
Run HijackThis, do a system scan and post the following:

The ComboFix report
The Rootrepael log
The new HijackThis log

by **eah** » June 17th, 2009, 7:58 pm

Could not do step 2 RootRepeal so I did not do step 3 because I assume they are in necessary order. I received the following message when RootRepeal is trying to initialize.. Windows-Virtual Memory Minimum Too Low then my computer freezes.

This is the combofix log from step one.

ComboFix 09-06-16.05 - EARL 06/17/2009 17:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.256 [GMT -4:00]
Running from: c:\documents and settings\EARL\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\EARL\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}

FILE ::
"c:\windows\system32\drivers\cvcpvdol.sys"
"c:\windows\system32\drivers\e422fce6.sys"
"c:\windows\system32\drivers\xspbibhn.sys"
"c:\windows\system32\rkfmxnr.dll"
"c:\windows\system32\uhukkqi.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
c:\windows\system32\drivers\cvcpvdol.sys
c:\windows\system32\drivers\xspbibhn.sys
c:\windows\system32\rkfmxnr.dll
c:\windows\system32\uhukkqi.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CVCPVDOL
-------\Legacy_FMIYRAE
-------\Legacy_FPQOJINC
-------\Service_e422fce6
-------\Service_fmiyrae

((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-17 04:21 . 2009-06-17 04:21 -------- d-----w- c:\windows\ie8updates
2009-06-16 22:03 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-16 22:03 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-16 03:18 . 2009-06-16 03:18 390664 ----a-w- c:\documents and settings\EARL\Application Data\Real\RealPlayer\Update\realplayer11gold.exe
2009-06-14 20:09 . 2009-06-14 20:09 -------- d-sh--w- c:\documents and settings\ERICA\PrivacIE
2009-06-14 20:08 . 2009-06-14 20:08 -------- d-sh--w- c:\documents and settings\ERICA\IETldCache
2009-06-14 18:41 . 2009-06-14 18:44 -------- dc-h--w- c:\windows\ie8
2009-06-14 15:00 . 2009-06-14 15:00 -------- d-sh--w- c:\documents and settings\EARL\IECompatCache
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-sh--w- c:\documents and settings\EARL\PrivacIE
2009-06-14 14:58 . 2009-06-14 14:58 -------- d-sh--w- c:\documents and settings\EARL\IETldCache
2009-06-14 14:41 . 2009-06-14 14:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 14:40 . 2009-06-14 14:40 -------- d-sh--w- c:\documents and settings\LISA\PrivacIE
2009-06-14 14:40 . 2009-06-14 14:40 -------- d-sh--w- c:\documents and settings\LISA\IECompatCache
2009-06-14 14:36 . 2009-06-14 14:36 -------- d-sh--w- c:\documents and settings\LISA\IETldCache
2009-06-14 06:37 . 2009-06-14 06:37 -------- d-----w- c:\documents and settings\LISA\Local Settings\Application Data\Mozilla
2009-06-14 02:45 . 2009-06-14 02:47 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-14 01:34 . 2009-06-14 01:35 -------- d-----w- c:\documents and settings\All Users\Application Data\PCPitstop
2009-06-14 01:34 . 2009-06-14 01:36 -------- d-----w- c:\program files\PCPitstop
2009-06-13 18:42 . 2009-06-13 18:42 0 ----a-w- c:\windows\nsreg.dat
2009-06-13 18:42 . 2009-06-13 18:42 -------- d-----w- c:\documents and settings\EARL\Local Settings\Application Data\Mozilla
2009-06-04 20:36 . 2009-06-04 22:03 -------- d-----w- c:\documents and settings\ERICA\Local Settings\Application Data\king.com
2009-06-03 02:52 . 2009-06-03 02:52 -------- d-----w- c:\windows\system32\wbem\Repository
2009-06-02 02:39 . 2009-06-02 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap
2009-06-01 23:12 . 2009-06-03 02:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-01 23:12 . 2009-06-01 23:12 -------- d-----w- c:\documents and settings\EARL\Application Data\SUPERAntiSpyware.com
2009-06-01 22:20 . 2009-06-03 02:52 -------- d-----w- c:\program files\Windows Defender
2009-05-31 14:38 . 2009-05-31 14:38 -------- d-----w- c:\documents and settings\ERICA\Application Data\Malwarebytes
2009-05-31 02:15 . 2009-05-31 02:15 -------- d-----w- c:\documents and settings\EARL\Application Data\Malwarebytes
2009-05-30 19:35 . 2009-05-30 19:35 -------- d-----w- c:\windows\system32\Internet Explorer
2009-05-30 15:38 . 2009-05-30 15:38 -------- d-----w- c:\documents and settings\LISA\Application Data\Malwarebytes
2009-05-30 15:37 . 2009-05-26 17:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 15:37 . 2009-05-30 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 15:37 . 2009-05-30 15:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-30 15:37 . 2009-05-26 17:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-30 13:25 . 2009-05-30 13:25 -------- d-----w- c:\program files\MSBuild
2009-05-30 05:41 . 2009-05-30 05:41 155648 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bonuspaigowpoker.7a255497429caa23df774f47d3465136.dll
2009-05-30 05:39 . 2009-05-30 05:39 385024 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bonusblackjack.dab6343a296b066bd5fe18d7c7d9940f.dll
2009-05-30 05:36 . 2009-05-30 05:36 483600 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hilowbonus_tggg.10cdcb3e64c301c60db4d11d2d7781a4.dll
2009-05-30 05:36 . 2009-05-30 05:36 446736 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hilowbonus.ecf70c1bd892c000f22ce30d5b0ba784.dll
2009-05-30 05:24 . 2009-05-30 05:24 421888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\lua51host.4f93c8cce0c64b200821a73dd29068f6.dll
2009-05-30 05:24 . 2009-05-30 05:24 594192 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\snakesandladdersbonus.1b7d7437b87cc53b7a00c4efd2db679d.dll
2009-05-30 05:23 . 2009-05-30 05:23 61440 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\tikimaskbonusgame.0dc1c149f619ef0a72aacd3abdeb0dfb.dll
2009-05-30 05:23 . 2009-05-30 05:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\volcanobonusgame.1f5cd5f4b800bd1a6e740e08a3119e10.dll
2009-05-30 05:23 . 2009-05-30 05:23 213089 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\b\bigkahuna.769fd4a48b95c8614a738f1cad88bcd5.dll
2009-05-30 05:17 . 2009-05-30 05:17 430352 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofyskillbonus.8d56aeea91f0d0bbdf41c578fbf38496.dll
2009-05-30 05:11 . 2009-05-30 05:11 376832 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\atlanticcityblackjack.9baef784fe666fb9d90dc331d0239eed.dll
2009-05-30 05:04 . 2009-05-30 05:04 561424 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_tggg.ca9a61a09a35dc0843cc68f532694746.dll
2009-05-30 05:04 . 2009-05-30 05:04 495888 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus.aa7eb4e3b4774e5cad0d4f8562ca860d.dll
2009-05-30 05:04 . 2009-05-30 05:04 233744 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickuntilbonus_temp.b6b7e588aedb05fa062fb8447406bca9.dll
2009-05-30 05:03 . 2009-05-30 05:03 114688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokergambleplugin.d65fe35ffb2e6dc1b9ea46def3db39dc.dll
2009-05-30 05:03 . 2009-05-30 05:03 290941 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokerxxx.0d52d2ac00db83d9b97c99592ee3aa21.dll
2009-05-30 05:03 . 2009-05-30 05:03 139264 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\l\levelupvideopokerplugin.d3ee60c36507413ca9ab67247eac5288.dll
2009-05-30 05:02 . 2009-05-30 05:02 237840 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\p\powerpokersuite1_nl.cebfe8812d984716506c6d9d096a5f48.dll
2009-05-30 05:01 . 2009-05-30 05:01 217360 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\v\videopokersuite1.03dd648f567bef124a1d270ad208752a.dll
2009-05-30 05:00 . 2009-05-30 05:00 200704 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\3\3cardpoker.8e73a522a397f174eb628d05f72f1f40.dll
2009-05-30 04:59 . 2009-05-30 04:59 32834 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\_\_crt_baccarat.a090413d6195a12421945ded5707d93f.dll
2009-05-30 04:57 . 2009-05-30 04:57 368912 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikexxx.f6ecb9684e1be3d30a84d6ce47725e8a.dll
2009-05-30 04:57 . 2009-05-30 04:57 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikeslot.263bf62c0114cead1f4829bc52d84b9f.dll
2009-05-30 04:57 . 2009-05-30 04:57 151824 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\r\reelstrikebonus.352846d26cf4c594dafc9b9ea0b478be.dll
2009-05-30 04:55 . 2009-05-30 04:55 110864 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_3reelnormal1_2.6d58a1bcaf1d9165fa0b77fa9598b623.dll
2009-05-30 04:55 . 2009-05-30 04:55 114960 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\type_5reelnormal3_4_5.07db0a5618a0565d7bde7a2766c54711.dll
2009-05-30 04:54 . 2009-05-30 04:54 204905 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\thunderstruck.0cc1be68d215832fa06fc779c0b3e069.dll
2009-05-30 04:53 . 2009-05-30 04:53 114688 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroroulette.fa2b524975a5d8bbc30203d094e2b084.dll
2009-05-30 04:51 . 2009-05-30 04:51 376832 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\europeanblackjack.cb403a5bad6b43e2910d2e09c35c47ed.dll
2009-05-30 04:51 . 2009-05-30 04:51 45056 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjackstrategy.9c188ef9cd6c03e5b4bd398d23041cd2.dll
2009-05-30 04:51 . 2009-05-30 04:51 229483 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\e\euroblackjack.6c6f541acc24f3244c0a64fa851edca8.dll
2009-05-30 04:49 . 2009-05-30 04:49 311398 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjacktourxxx.e4ccb563efd75763602af7373fbd8cec.dll
2009-05-30 04:49 . 2009-05-30 04:49 303204 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvblackjackplugin.49e5f42fbdf0e1e2df5232e5ea419897.dll
2009-05-30 04:48 . 2009-05-30 04:48 327784 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\mpvtabletournamentlobby.fea1be7b63b308e9fdb6e8d4bd356052.dll
2009-05-30 04:43 . 2009-05-30 04:43 213264 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\c\choosebonus.df815bbfb8ae7a29a353f0ae65e4af17.dll
2009-05-30 04:43 . 2009-05-30 04:43 323856 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\h\hitmancontractbonus.339a969d902930975b3194643e289fc9.dll
2009-05-30 04:40 . 2009-05-30 04:40 266512 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_tggg.399218aff849d2e187d4554dd62a73b6.dll
2009-05-30 04:40 . 2009-05-30 04:40 262416 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition_temp.c6aaf42b66fa6688c8ea18a671984287.dll
2009-05-30 04:40 . 2009-05-30 04:40 254224 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\t\transition.26c3e2ce55c7cca8b63e5e8d7b4627e4.dll
2009-05-30 04:39 . 2009-05-30 04:39 524560 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\s\simplepickxofybonus_tggg.f8ba0ccac248b6026b2705996790640a.dll
2009-05-30 04:39 . 2009-05-30 04:39 1904753 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_tggg.6e62948f458013fa99694cc031068e8a.dll
2009-05-30 04:39 . 2009-05-30 04:39 823568 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1_temp2.198f2a88c7f89c1d0b1ded39e546e22b.dll
2009-05-30 04:39 . 2009-05-30 04:39 1249399 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\a\advancedslots1xxx_tggg.a33335318f7b89139ecd4652b6e8c4b9.dll
2009-05-30 04:39 . 2009-05-30 04:39 307472 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\g\gamble2_tggg.436ea9e59e2a2b9a2106e598920cba26.dll
2009-05-30 04:35 . 2009-05-30 04:35 413696 ----a-w- c:\documents and settings\All Users\Application Data\MGS\cache\m\menucore.9037a298ee3e59ea5a655d88569c2b77.dll
2009-05-29 20:44 . 2009-05-30 16:05 -------- d-----w- c:\windows\dhcp
2009-05-28 23:34 . 2009-05-28 23:34 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-05-27 20:49 . 2009-05-27 20:49 -------- d-----w- c:\program files\Trend Micro
2009-05-27 18:10 . 2009-06-17 21:09 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-27 18:10 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-05-27 18:10 . 2009-04-03 15:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-05-27 18:10 . 2008-12-18 16:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-27 18:09 . 2009-05-27 18:11 -------- d-----w- c:\program files\Common Files\PC Tools
2009-05-27 18:09 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-05-27 18:09 . 2009-05-27 18:11 -------- d-----w- c:\program files\Spyware Doctor
2009-05-27 18:09 . 2009-05-27 18:09 -------- d-----w- c:\documents and settings\ERICA\Application Data\PC Tools
2009-05-27 18:09 . 2009-05-27 18:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 04:22 . 2007-04-04 15:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-06-17 01:44 . 2009-04-16 02:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-14 15:02 . 2008-07-08 22:21 33061 ----a-w- c:\windows\king-uninstall.exe
2009-06-02 00:31 . 2002-11-12 21:45 92024 ----a-w- c:\documents and settings\ERICA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-31 22:28 . 2002-11-10 23:26 92024 ----a-w- c:\documents and settings\EARL\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 17:42 . 2003-07-03 01:27 92024 ----a-w- c:\documents and settings\LISA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 13:25 . 2002-10-05 01:10 -------- d-----w- c:\program files\Microsoft Works
2009-05-30 04:13 . 2004-03-18 00:07 -------- d-----w- c:\documents and settings\LISA\Application Data\MSN6
2009-05-27 10:26 . 2002-10-05 02:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-05-27 00:32 . 2004-02-13 00:16 -------- d-----w- c:\documents and settings\ERICA\Application Data\Lycos
2009-05-26 23:31 . 2004-02-13 20:50 -------- d-----w- c:\documents and settings\EARL\Application Data\Lycos
2009-05-16 04:50 . 2009-05-16 04:50 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-16 04:50 . 2002-10-05 02:41 -------- d-----w- c:\program files\Common Files\Real
2009-05-13 05:15 . 2004-08-24 00:32 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2001-08-18 11:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2002-02-20 23:46 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 04:01 . 2009-04-13 04:51 0 ----a-w- c:\windows\Wnewowa.bin
2009-04-15 14:51 . 2004-04-15 17:45 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 22:33 . 2009-04-14 22:33 0 ----a-w- c:\windows\Wnewowa.binWnewowa.bin
2007-11-22 18:55 . 2007-11-22 18:55 436360 ----a-w- c:\program files\msgr8us.exe
2005-08-11 23:53 . 2005-08-11 23:53 1058352 ----a-w- c:\program files\tr1advinst.zip
1999-03-17 20:40 . 2004-09-24 02:17 48704 ----a-w- c:\program files\Same.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\program files\Same.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 48704
Created time: 2004-09-24 02:17
Modified time: 1999-03-17 20:40
MD5: A645F15916F104199B8D75F7B803ADE9
SHA1: 7C4081B375444B5AC21CC7ADD06BA7B73D4C4393

((((((((((((((((((((((((((((( SnapShot@2009-06-16_21.54.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-18 11:00 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2001-08-18 11:00 . 2009-03-08 08:33 25600 c:\windows\SYSTEM32\jsproxy.dll
- 2006-05-10 05:22 . 2009-03-08 08:33 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2006-05-10 05:22 . 2009-04-30 21:22 25600 c:\windows\SYSTEM32\DLLCACHE\jsproxy.dll
+ 2007-04-04 15:52 . 2009-06-17 04:22 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 35088 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\oisicon.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 18704 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\mspicons.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 20240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2006-10-27 01:13 . 2006-10-27 01:13 72472 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\XL12CNVP.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 55056 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\SCANOST.EXE
+ 2006-10-27 00:55 . 2006-10-27 00:55 76576 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\RM.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 39208 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\RECALL.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 53048 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLVBA.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 21312 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\MLSHEXT.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 35160 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\DUMPSTER.DLL
+ 2009-06-17 04:21 . 2009-03-08 08:33 12288 c:\windows\ie8updates\KB969897-IE8\xpshims.dll
+ 2009-06-17 04:21 . 2009-03-08 08:33 25600 c:\windows\ie8updates\KB969897-IE8\jsproxy.dll
+ 2004-01-01 15:27 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\iedkcs32.dll
+ 2004-01-01 15:27 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2004-01-01 15:27 . 2009-03-08 08:32 173056 c:\windows\SYSTEM32\ie4uinit.exe
- 2002-10-05 02:26 . 2009-05-30 13:36 319544 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2002-10-05 02:26 . 2009-06-17 15:29 319544 c:\windows\SYSTEM32\FNTCACHE.DAT
+ 2006-05-10 05:23 . 2009-05-13 05:15 915456 c:\windows\SYSTEM32\DLLCACHE\wininet.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\SYSTEM32\DLLCACHE\rpcrt4.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\SYSTEM32\DLLCACHE\localspl.dll
+ 2006-11-07 08:27 . 2009-04-30 21:22 385536 c:\windows\SYSTEM32\DLLCACHE\iedkcs32.dll
- 2006-11-07 08:26 . 2009-03-08 08:32 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2006-11-07 08:26 . 2009-04-30 11:21 173056 c:\windows\SYSTEM32\DLLCACHE\ie4uinit.exe
+ 2009-06-14 14:41 . 2009-06-17 15:34 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2009-06-14 14:41 . 2009-06-14 14:40 245760 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2007-04-04 15:52 . 2009-06-17 04:22 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 888080 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 272648 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 922384 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 845584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 217864 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 159504 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2006-10-27 19:16 . 2006-10-27 19:16 408880 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\RTFHTML.DLL
+ 2006-10-27 19:16 . 2006-10-27 19:16 138512 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OUTLCTL.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 254776 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\OLKFSTUB.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 154960 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\ENVELOPE.DLL
+ 2006-10-27 00:55 . 2006-10-27 00:55 116544 c:\windows\Installer\$PatchCache$\Managed\00002109110000000000000000F01FEC\12.0.4518\EMABLT32.DLL
+ 2009-06-17 04:21 . 2009-03-08 08:34 914944 c:\windows\ie8updates\KB969897-IE8\wininet.dll
+ 2009-06-17 04:21 . 2008-07-09 07:38 382840 c:\windows\ie8updates\KB969897-IE8\spuninst\updspapi.dll
+ 2009-06-17 04:21 . 2007-11-30 12:39 231288 c:\windows\ie8updates\KB969897-IE8\spuninst\spuninst.exe
+ 2009-06-17 04:21 . 2009-03-08 08:33 246784 c:\windows\ie8updates\KB969897-IE8\ieproxy.dll
+ 2009-06-17 04:21 . 2009-03-08 18:09 391536 c:\windows\ie8updates\KB969897-IE8\iedkcs32.dll
+ 2009-06-17 04:21 . 2009-03-08 08:32 173056 c:\windows\ie8updates\KB969897-IE8\ie4uinit.exe
+ 2004-09-23 21:08 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\urlmon.dll
+ 2004-09-29 04:57 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\mshtml.dll
+ 2006-10-17 16:57 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\iertutil.dll
- 2006-10-17 16:57 . 2009-03-08 08:32 1985024 c:\windows\SYSTEM32\iertutil.dll
+ 2008-10-16 02:55 . 2009-04-17 12:26 1847168 c:\windows\SYSTEM32\DLLCACHE\win32k.sys
+ 2006-05-10 05:23 . 2009-04-30 21:22 1207808 c:\windows\SYSTEM32\DLLCACHE\urlmon.dll
+ 2006-05-19 15:08 . 2009-05-13 05:15 5936128 c:\windows\SYSTEM32\DLLCACHE\mshtml.dll
+ 2007-05-10 16:30 . 2009-04-30 21:22 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-05-10 16:30 . 2009-03-08 08:32 1985024 c:\windows\SYSTEM32\DLLCACHE\iertutil.dll
- 2007-04-04 15:52 . 2009-05-30 13:30 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 1172240 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-04-04 15:52 . 2009-06-17 04:22 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
- 2007-04-04 15:52 . 2009-05-30 13:30 1165584 c:\windows\Installer\{90120000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-06-17 04:21 . 2009-03-08 08:34 1206784 c:\windows\ie8updates\KB969897-IE8\urlmon.dll
+ 2009-06-17 04:21 . 2009-03-08 08:41 5937152 c:\windows\ie8updates\KB969897-IE8\mshtml.dll
+ 2009-06-17 04:21 . 2009-03-08 08:32 1985024 c:\windows\ie8updates\KB969897-IE8\iertutil.dll
+ 2006-11-08 02:03 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\ieframe.dll
+ 2007-05-10 16:30 . 2009-04-30 21:22 11064832 c:\windows\SYSTEM32\DLLCACHE\ieframe.dll
+ 2009-06-17 04:21 . 2009-03-08 08:39 11063808 c:\windows\ie8updates\KB969897-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-26 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-05-26 414480]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-16 198160]

c:\documents and settings\LISA\Start Menu\Programs\Startup\
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-8-7 24633]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list]
"41435:TCP"= 41435:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [5/27/2009 2:10 PM 130936]
R2 mbamservice;mbamservice;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/30/2009 11:37 AM 194832]
R3 mbamprotector;mbamprotector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/30/2009 11:37 AM 19096]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\SYSTEM32\spupdsvc.exe [10/22/2004 7:42 AM 26144]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [5/27/2009 2:09 PM 348752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Ad-aware 6.job
- c:\progra~1\Lavasoft\AD-AWA~1\Ad-aware.exe [2004-03-18 03:00]

2009-06-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-16 02:33]

2009-06-17 c:\windows\Tasks\Malwarebytes' Scheduled Scan for EARL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-30 17:20]

2009-06-17 c:\windows\Tasks\Malwarebytes' Scheduled Update for EARL.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-05-30 17:20]

2009-06-12 c:\windows\Tasks\System Restore.job
- c:\windows\SYSTEM32\Restore\rstrui.exe [2004-01-01 00:12]
.
.
------- Supplementary Scan -------
.
IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 17:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4000)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\windows\SYSTEM32\CTSVCCDA.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\SYSTEM32\wdfmgr.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\windows\SYSTEM32\devldr32.exe
c:\windows\SYSTEM32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-17 17:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-17 21:36
ComboFix2.txt 2009-06-16 22:02

Pre-Run: 57,519,648,768 bytes free
Post-Run: 57,646,034,944 bytes free

345 --- E O F --- 2009-06-17 04:22

by **Rodav** » June 18th, 2009, 2:10 pm

Step 1 was the most important and it looks like it worked. You had a nasty infection which protected the vundo files, so they couldn't be deleted too easily. Step 2 was to see if there were any rootkits involved also, if your computer seems to be running better it may not be necessary. There is a bit more work to do but we shouldn't be too long.

Step 1:
Please visit Virustotal

Copy/paste this file and path into the white box at the top:

c:\program files\Same.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response. Also let me know if you know anything about that file.

Step 2:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here.

Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.

Please go here then click on:
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.
Select the option YES, I accept the Terms of Use then click on:
When prompted allow the Add-On/Active X to install.
Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
Now click on Advanced Settings and select the following:

Scan for potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth Technology

Now click on:
The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
When completed the Online Scan will begin automatically.
Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
Now click on:
Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
Copy and paste that log as a reply to this topic.

Note: Do not forget to re-enable your Anti-Virus application after running the above scan!

Step 3:
Run HijackThis, do a system scan and post the following:

The virustotal results
The online eset scan results
The new HijackThis log

Also let me know how your computer is running.

by **eah** » June 18th, 2009, 7:55 pm

The computer seems to work fine a few glitches, scrolling is ragged, and I still can not use the internet on my log in. I just figured once it is clean I can create a new user and delete my old one.

Same.exe is a very very very old version of matching the colored blocks type game.

By the way before I forget I want to thank you for all your help.

Here are my logs.

Virustotal
File a645f1594016f104be19009b8d75f700b803ade9.EXE received on 2009.05.28 19:32:09 (UTC)
Current status: finished

Result: 1/40 (2.50%)
Compact Print results Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.05.28 -
AhnLab-V3 5.0.0.2 2009.05.28 -
AntiVir 7.9.0.180 2009.05.28 -
Antiy-AVL 2.0.3.1 2009.05.27 -
Authentium 5.1.2.4 2009.05.28 -
Avast 4.8.1335.0 2009.05.27 -
AVG 8.5.0.339 2009.05.28 -
BitDefender 7.2 2009.05.28 -
CAT-QuickHeal 10.00 2009.05.28 -
ClamAV 0.94.1 2009.05.28 -
Comodo 1203 2009.05.28 -
DrWeb 5.0.0.12182 2009.05.28 -
eSafe 7.0.17.0 2009.05.27 Win32.Banker
eTrust-Vet 31.6.6526 2009.05.28 -
F-Prot 4.4.4.56 2009.05.28 -
F-Secure 8.0.14470.0 2009.05.28 -
Fortinet 3.117.0.0 2009.05.28 -
GData 19 2009.05.28 -
Ikarus T3.1.1.57.0 2009.05.28 -
K7AntiVirus 7.10.748 2009.05.28 -
Kaspersky 7.0.0.125 2009.05.28 -
McAfee 5629 2009.05.28 -
McAfee+Artemis 5629 2009.05.28 -
McAfee-GW-Edition 6.7.6 2009.05.28 -
Microsoft 1.4701 2009.05.28 -
NOD32 4113 2009.05.28 -
Norman 2009.05.28 -
nProtect 2009.1.8.0 2009.05.28 -
Panda 10.0.0.14 2009.05.28 -
PCTools 4.4.2.0 2009.05.21 -
Prevx 3.0 2009.05.28 -
Rising 21.31.21.00 2009.05.27 -
Sophos 4.42.0 2009.05.28 -
Sunbelt 3.2.1858.2 2009.05.28 -
Symantec 1.4.4.12 2009.05.28 -
TheHacker 6.3.4.3.333 2009.05.28 -
TrendMicro 8.950.0.1092 2009.05.28 -
VBA32 3.12.10.6 2009.05.27 -
ViRobot 2009.5.28.1759 2009.05.28 -
VirusBuster 4.6.5.0 2009.05.28 -
Additional information
File size: 48704 bytes
MD5 : a645f15916f104199b8d75f7b803ade9
SHA1 : 7c4081b375444b5ac21cc7add06ba7b73d4c4393
SHA256: 2f8942102b3280d9c6fec4a9eac338a42865fecddfc748c29663dd4accfff755
TrID : File type identification
76.1% (.EXE) DOS Executable Borland C++ (13007/5/3)
11.7% (.EXE) Generic Win/DOS Executable (2002/3)
11.7% (.EXE) DOS Executable Generic (2000/1)
0.2% (.CPT) Corel Photo Paint (41/41)
0.1% (.VXD) VXD Driver (31/22)
ssdeep: 768:GK8uze5rTTiTNnLs+R/l9IO9dTl3yd2aFrh7vtmaSoLK:NgTGNPDtCrxcELK
PEiD : -
CWSandbox: http://research.sunbelt-software.com/pa ... f7b803ade9
RDS : NSRL Reference Data Set
-

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

ESET log

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.5863
# api_version=3.0.2
# EOSSerial=d9ffd409f04c9941aff55d0cefb5e85f
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-06-18 11:48:10
# local_time=2009-06-18 07:48:10 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=3586 41 100 90 533084436250000
# scanned=100103
# found=6
# cleaned=0
# scan_time=3687
C:\Documents and Settings\LISA\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Hotmail - Inbox.dbx Win32/Netsky.Q worm 00000000000000000000000000000000
C:\Downloads\AlohaTriPeaksSetup-dm[1].exe Win32/Adware.Trymedia application 00000000000000000000000000000000
C:\MicroGaming\Casino\AllSlots\install.exe Win32/PrimeCasino application 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\_cvcpvdol_.sys.zip Win32/BHO.EXT trojan 00000000000000000000000000000000
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP22\A0019465.sys a variant of Win32/Rustock.NIH trojan 00000000000000000000000000000000
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll probably a variant of Win32/Agent trojan 00000000000000000000000000000000

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:23 PM, on 6/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {215b8138-a3cf-44c5-803f-8226143cfc0a} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-U ... E_UNO1.cab
O16 - DPF: {5ed80217-570b-4da9-bf44-be107c0ec166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se1140.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {9B17FE0E-51F2-4692-8B32-8EFB805FC0E7} (HPObjectInstaller Class) - http://h30155.www3.hp.com/ediags/gs/ins ... utions.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com/components/ocx/ext ... utside.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {ffb3a759-98b1-446f-bda9-909c6eb18cc7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: EPSON V5 Service4(01) (epson_eb_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
O23 - Service: EPSON V3 Service4(01) (epson_pm_rpcv4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mbamservice - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9750 bytes

by **Rodav** » June 19th, 2009, 8:20 pm

Unfortunately when a computer was as heavily infected as yours there can be some damage leftover even after all the malware has been removed. Sometimes the easiest option is to reformat and perform a clean install of the operating system. If your still having some glitches after we are done you could ask at a dedicated tech forum like: http://forums.pcpitstop.com/ who may be able to help you quicker with those type of issues than I would.

On a happier note, it looks like malware is no longer an issue, just a little cleaning up left.

There is an infected email in your Outlook Express inbox, unfortunately I have no way of identifying it directly, so you you may want to delete any unwanted emails.

Step 1:
The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

You may also want to delete any other tools or logs produced during the earlier steps.

==============================================

Your logs are now clean.

If you still feel you are having any issues please let me know now, otherwise read through the following:

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you can follow any steps that you have not already implemented

Download and install an antivirus program, and make sure that you keep it updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Two good antivirus programs free for non-commercial home use are Avast and Antivir
Two good paid for antivirus programs are NOD32 and Kaspersky
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection level. It may also impair the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install a Hosts File
I recommend MVPS Hosts File
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
- Click Start > Run
- Type services.msc & click OK
- In the list, find the service called DNS Client & double click on it.
- On the dropdown box, change the setting from automatic to manual.
- Click OK & then close the Services window
For a more detailed explanation of the HOSTS file, click here
Download and install the free version of WinPatrol. This program protects your computer in a variety of ways and will work well with your existing security software. Have a look at this tutorial to help you get started with the program. If you want to help the developer of the program and get more information about what the programs that you see in Winpatrol please check out Winpatrol Plus. It does not need a new download.
The last and most important thing I can tell you is UPDATE, UPDATE, UPDATE.
If you don't update your security programs (Antivirus, Antispyware, even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

Miekiemoes an expert in malware removal has a fantastic article on how to prevent Malware for further tips, it's well worth a read. http://users.telenet.be/bluepatchy/miek ... ntion.html

Please reply to this topic one more time so I know you have read through it or with any questions you may have.

by **eah** » June 19th, 2009, 10:17 pm

Thank you so much for all your help. I thought I had a firewall that stopped this from happening, I thought wrong!

I do not use Outlook Express. I use Hotmail for my email so how do I delete something from an inbox I never see?

Isn't Malwarebytes an antivirus? Can you tell this is new to me?
I've downloaded Avast, checked for updates, installed WVPS Hosts File & downloaded WinPatrol.

I will try to remember to UPDATE! UPDATE! UPDATE!
I have windows & Malwarebytes on auto update.

Thanks again

by **Rodav** » June 20th, 2009, 3:10 pm

I do not use Outlook Express. I use Hotmail for my email so how do I delete something from an inbox I never see?

The file the online scan flagged: C:\Documents and Settings\LISA\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Hotmail - Inbox.dbx is in the profile for Lisa. She may know what to delete, otherwise you may delete the file above if nobody is using that account.

Isn't Malwarebytes an antivirus? Can you tell this is new to me?
I've downloaded Avast, checked for updates, installed WVPS Hosts File & downloaded WinPatrol.

No Malwarebytes is not an antivirus, it's meant to run alongside an antivirus.
You had Norton Internet Security installed during the removal process, which had a firewall and antivirus, if this is no longer being updated you need to remove it via Add/remove programs. If you are having issues with removing it you can use the removal tool: http://service1.symantec.com/Support/ts ... 3108162039

Avast is an antivirus, so if you want to keep it that's fine. Just remember to have only one antivirus installed.

If you have any other questions, let me know.

by **Gary R** » June 26th, 2009, 1:53 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.

Free Malware Removal Forum

Vundo virus, malware can not assasinate files.

Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Re: Vundo virus, malware can not assasinate files.

Who is online