Print Page - super virus of some sort

Title: super virus of some sort
Post by: dmscott84 on July 14, 2010, 10:22:02 AM

a few days ago i noticed my taskbar said i wasnt connected to the internet so i checked and i was so i was like what the hell.... and i tried to run windows live onecare since ive had a virus before. when i went to run the program it couldnt start and said cannot continue or start please restart, i did and it didnt work. windows defender gets errors, i tried to restore my computer to a week prior to see if it would be ok and no matter how far back i restored it was the same nothing worked.

so i went into safemode and tried and it was the same. i bought norton 2010 and could only install it in safemode, in normal mode it just froze and crashed. i ran a full scan in safemode and it found a trojan which it removed. i restarted and nothing had changed. so i downloaded in safemode with networking malwarebytes and it found 5 trojan which it removed. still nothing changed. ive tried everything i have possibly found online to save my computer and i cant afford to take it to an expensive computer tech place.

what can i do? if it doesnt get fixed soon im just gonna smash it with a bat

Title: Re: super virus of some sort
Post by: Corrine on July 14, 2010, 02:06:10 PM

Hi, dmscott84. Welcome to LandzDown Forum.

We will do our best to assist you. However, in order to do so, please follow all instructions provided in the sequence given. Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use. This may cause conflicts with the tools being used in the cleanup process.

If you have questions regarding any of the instructions or problems running any tools, please let us know.

Please do the following:

Post as a reply a copy of the MBAM log that showed the trojans. The log can be found here on Windows XP: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt on Windows Vista and Windows 7.

Please download random's system information tool (RSIT):

Download RSIT by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double-click RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized).

Title: Re: super virus of some sort
Post by: dmscott84 on July 14, 2010, 06:53:59 PM

Malwarebytes log:

Registry Keys Infected:
HKEY_CLASSES_ROOT\gksraemq.brsf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gksraemq.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3b1279b8-58c1-41aa-a972-f20853dd2296} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3b1279b8-58c1-41aa-a972-f20853dd2296} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

log.txt:

Logfile of random's system information tool 1.08 (written by random/random)
Run by Owner at 2010-07-14 12:48:58
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 215 GB (56%) free of 382 GB
Total RAM: 2046 MB (65% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:49:07 PM, on 7/14/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18928)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\explorer.exe
C:\Users\Owner\Downloads\RSIT.exe
C:\Program Files\trend micro\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\IPSBHO.DLL
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: gksraemq - {0F4D1291-8DEF-4D4E-AA11-D5B4DD8945C2} - C:\Windows\gksraemq.dll (file missing)
O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O15 - Trusted Zone: http://www.swtor.com
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - Unknown owner - c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Turbine Message Service - Live (LiveTurbineMessageService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe (file missing)
O23 - Service: Turbine Network Service - Live (LiveTurbineNetworkService) - Unknown owner - C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe (file missing)
O23 - Service: Norton AntiVirus (NAV) - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7177 bytes

======Scheduled tasks folder======

C:\Windows\tasks\User_Feed_Synchronization-{38F16D1B-D518-4ABF-84BB-9D919E0F0F6A}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [2010-03-23 1205560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - c:\program files\real\realplayer\rpbrowserrecordplugin.dll [2009-12-03 329312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\IPSBHO.DLL [2009-11-16 79224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-08-18 403840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
LimeWire Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2010-03-28 1196936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
SingleInstance Class - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll [2010-03-23 158520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll [2010-03-23 1205560]
{0F4D1291-8DEF-4D4E-AA11-D5B4DD8945C2} - gksraemq - C:\Windows\gksraemq.dll []
{D4027C7F-154A-4066-A1AD-4243D8127440} - LimeWire Toolbar - C:\Program Files\Ask.com\GenericAskToolbar.dll [2010-03-28 1196936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"RtHDVCpl"=C:\Windows\RtHDVCpl.exe [2007-01-18 4349952]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [2010-06-15 47408]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2009-12-03 198160]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-02-18 248040]
"OneCareUI"=C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe [2010-02-05 65256]
"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2010-05-25 37888]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2010-03-18 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-06-15 141624]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-01-15 147456]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe [2009-11-13 247144]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\SymSMR100]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-07-14 12:48:58 ----D---- C:\rsit
2010-07-14 12:48:58 ----D---- C:\Program Files\trend micro
2010-07-13 13:30:12 ----D---- C:\Users\Owner\AppData\Roaming\Malwarebytes
2010-07-13 13:30:04 ----A---- C:\Windows\system32\drivers\mbamswissarmy.sys
2010-07-13 13:30:03 ----D---- C:\ProgramData\Malwarebytes
2010-07-13 13:30:03 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-07-13 13:30:03 ----A---- C:\Windows\system32\drivers\mbam.sys
2010-07-13 11:26:49 ----A---- C:\Windows\system32\drivers\SYMEVENT.SYS
2010-07-13 11:26:19 ----D---- C:\Windows\system32\drivers\NAV
2010-07-13 11:26:17 ----D---- C:\Program Files\Norton AntiVirus
2010-07-13 11:19:16 ----D---- C:\Windows\LMI82A6.tmp
2010-07-13 02:51:48 ----D---- C:\Windows\LMI6DBF.tmp
2010-07-13 02:40:58 ----D---- C:\Windows\LMI759C.tmp
2010-07-13 02:37:10 ----D---- C:\Windows\LMI73A9.tmp
2010-07-13 02:32:34 ----D---- C:\Windows\LMI951D.tmp
2010-07-13 01:49:59 ----D---- C:\Windows\LMIA5EF.tmp
2010-07-13 01:24:29 ----D---- C:\Windows\LMI8F82.tmp
2010-07-12 23:53:23 ----A---- C:\Windows\ntbtlog.txt
2010-07-12 17:10:26 ----D---- C:\Windows\LMIB8A4.tmp
2010-07-12 17:09:59 ----D---- C:\Windows\LMI5032.tmp
2010-07-12 12:36:19 ----D---- C:\Program Files\Common Files\Symantec Shared
2010-07-12 12:21:18 ----D---- C:\Users\Owner\AppData\Roaming\Tific
2010-07-12 12:08:16 ----D---- C:\ProgramData\Norton
2010-07-09 12:04:40 ----A---- C:\Windows\system32\xfcodec.dll
2010-06-27 16:40:47 ----D---- C:\Program Files\Microsoft(10)
2010-06-27 16:40:47 ----D---- C:\Program Files\Microsoft
2010-06-27 16:38:01 ----D---- C:\Program Files\Microsoft.NET
2010-06-24 12:06:41 ----A---- C:\Windows\system32\psisdecd.dll
2010-06-24 12:06:38 ----A---- C:\Windows\system32\EncDec.dll
2010-06-24 12:05:44 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2010-06-24 12:05:44 ----A---- C:\Windows\system32\PresentationHost.exe
2010-06-24 12:05:44 ----A---- C:\Windows\system32\netfxperf.dll
2010-06-24 12:05:44 ----A---- C:\Windows\system32\mscoree.dll
2010-06-24 12:05:44 ----A---- C:\Windows\system32\dfshim.dll
2010-06-23 18:15:29 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-06-23 18:15:27 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-06-21 18:01:26 ----D---- C:\Program Files\iPod(122)
2010-06-21 18:01:26 ----D---- C:\Program Files\iPod
2010-06-21 18:01:24 ----D---- C:\ProgramData\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-21 18:01:24 ----D---- C:\Program Files\iTunes(123)
2010-06-21 18:01:24 ----D---- C:\Program Files\iTunes
2010-06-21 17:59:12 ----D---- C:\Program Files\QuickTime(165)
2010-06-21 17:59:12 ----D---- C:\Program Files\QuickTime
2010-06-21 17:54:32 ----D---- C:\Program Files\Bonjour(10)
2010-06-21 17:54:32 ----D---- C:\Program Files\Bonjour

======List of files/folders modified in the last 1 months======

2010-07-14 12:48:58 ----D---- C:\Program Files
2010-07-14 06:18:11 ----D---- C:\Program Files\Defraggler
2010-07-14 06:09:53 ----HD---- C:\ProgramData
2010-07-14 06:06:01 ----HD---- C:\Program Files\InstallShield Installation Information
2010-07-14 06:05:53 ----D---- C:\Windows\system32\drivers
2010-07-14 05:59:09 ----D---- C:\Windows\Temp
2010-07-14 05:51:42 ----D---- C:\Users\Owner\AppData\Roaming\Xfire
2010-07-14 04:38:23 ----D---- C:\Program Files\Xfire
2010-07-14 04:38:22 ----D---- C:\ProgramData\Xfire
2010-07-14 03:52:53 ----D---- C:\Users\Owner\AppData\Roaming\LimeWire
2010-07-14 02:33:12 ----D---- C:\Windows\pss
2010-07-14 02:04:42 ----D---- C:\Windows\System32
2010-07-14 02:04:42 ----D---- C:\Windows\inf
2010-07-13 23:07:15 ----D---- C:\Windows\SchCache
2010-07-13 12:50:46 ----D---- C:\Windows\system32\Tasks
2010-07-13 12:50:45 ----D---- C:\Windows\Tasks
2010-07-13 11:29:00 ----SHD---- C:\System Volume Information
2010-07-13 11:19:16 ----D---- C:\Windows
2010-07-12 23:24:51 ----D---- C:\Windows\system32\drivers\etc
2010-07-12 23:17:16 ----D---- C:\Windows\system32\catroot2
2010-07-12 23:05:44 ----D---- C:\Windows\Microsoft.NET
2010-07-12 23:05:41 ----D---- C:\Windows\system32\wbem
2010-07-12 23:04:55 ----D---- C:\Windows\system32\config
2010-07-12 23:04:18 ----SD---- C:\Windows\Downloaded Program Files
2010-07-12 23:04:18 ----D---- C:\Windows\winsxs
2010-07-12 23:04:05 ----D---- C:\Windows\system32\spool
2010-07-12 23:04:05 ----D---- C:\Windows\system32\Msdtc
2010-07-12 23:04:05 ----D---- C:\Windows\system32\en-US
2010-07-12 23:04:05 ----D---- C:\Windows\system32\drivers\UMDF
2010-07-12 23:04:05 ----D---- C:\Windows\system32\CodeIntegrity
2010-07-12 23:04:05 ----D---- C:\Windows\system32\catroot
2010-07-12 23:04:03 ----SHD---- C:\Windows\Installer
2010-07-12 23:04:03 ----RSD---- C:\Windows\Media
2010-07-12 23:04:01 ----RSD---- C:\Windows\Fonts
2010-07-12 23:04:01 ----RSD---- C:\Windows\assembly
2010-07-12 23:03:58 ----D---- C:\Users\Owner\AppData\Roaming\Winamp
2010-07-12 23:03:58 ----D---- C:\Users\Owner\AppData\Roaming\Ventrilo
2010-07-12 23:03:57 ----RD---- C:\Users
2010-07-12 23:03:57 ----D---- C:\ProgramData\NVIDIA
2010-07-12 23:03:52 ----D---- C:\Program Files\WinZip
2010-07-12 23:03:51 ----D---- C:\Program Files\Winamp Detect
2010-07-12 23:03:51 ----D---- C:\Program Files\Winamp
2010-07-12 23:03:50 ----D---- C:\Program Files\Mozilla Firefox
2010-07-12 23:03:50 ----D---- C:\Program Files\Microsoft Works
2010-07-12 23:03:49 ----D---- C:\Program Files\Microsoft Silverlight
2010-07-12 23:03:47 ----D---- C:\Program Files\Common Files\PX Storage Engine
2010-07-12 23:03:47 ----D---- C:\Program Files\Common Files\microsoft shared
2010-07-12 23:03:47 ----D---- C:\Program Files\Common Files\LightScribe
2010-07-12 23:03:45 ----D---- C:\Program Files\Common Files\Apple
2010-07-12 23:03:45 ----D---- C:\Program Files\Ask.com
2010-07-12 23:03:23 ----D---- C:\Windows\registration
2010-07-12 18:50:35 ----D---- C:\Windows\Prefetch
2010-07-12 12:36:19 ----D---- C:\Program Files\Common Files
2010-07-11 23:25:09 ----SD---- C:\Users\Owner\AppData\Roaming\Microsoft
2010-07-10 11:27:54 ----D---- C:\Program Files\Microsoft Windows OneCare Live
2010-06-27 16:40:33 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-06-24 12:34:41 ----D---- C:\Windows\ehome
2010-06-24 12:34:41 ----D---- C:\Windows\AppPatch
2010-06-21 19:02:06 ----D---- C:\Users\Owner\AppData\Roaming\Apple Computer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\Windows\system32\Drivers\PxHelp20.sys [2009-04-28 44944]
R0 SymDS;Symantec Data Store; C:\Windows\system32\drivers\NAV\1106000.020\SYMDS.SYS [2009-10-14 328752]
R0 SymEFA;Symantec Extended File Attributes; C:\Windows\system32\drivers\NAV\1106000.020\SYMEFA.SYS [2009-11-25 172592]
R1 MSFWHLPR;MSFWHLPR; C:\Windows\system32\DRIVERS\msfwhlpr.sys [2007-11-27 37440]
R3 Afc;PPdus ASPI Shell; C:\Windows\system32\drivers\Afc.sys [2005-02-23 11776]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 L1E;NDIS Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller; C:\Windows\system32\DRIVERS\L1E60x86.sys [2008-12-16 48128]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\Windows\system32\DRIVERS\ASACPI.sys [2004-08-13 5810]
S1 BHDrvx86;BHDrvx86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-10 536112]
S1 ccHP;Symantec Hash Provider; C:\Windows\system32\drivers\NAV\1106000.020\ccHPx86.sys [2010-02-25 501888]
S1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2010-07-13 371248]
S1 IDSVix86;IDSVix86; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSVix86.sys [2009-11-16 343088]
S1 SRTSP;Symantec Real Time Storage Protection; C:\Windows\system32\drivers\NAV\1106000.020\SRTSP.SYS [2010-02-26 325680]
S1 SRTSPX;Symantec Real Time Storage Protection (PEL); C:\Windows\system32\drivers\NAV\1106000.020\SRTSPX.SYS [2010-02-26 43696]
S1 SymIRON;Symantec Iron Driver; C:\Windows\system32\drivers\NAV\1106000.020\Ironx86.SYS [2010-02-26 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver; C:\Windows\system32\drivers\NAV\1106000.020\SYMTDIV.SYS [2009-11-21 340016]
S2 cpuz132;cpuz132; \??\C:\Windows\system32\drivers\cpuz132_x32.sys [2009-03-27 12672]
S2 MSFWDrv;MSFWDrv; C:\Windows\system32\DRIVERS\msfwdrv.sys [2007-11-27 91200]
S3 ALSysIO;ALSysIO; \??\C:\Users\Owner\AppData\Local\Temp\ALSysIO.sys []
S3 AVMNgBasM780;AVerMedia M780 Base Driver; C:\Windows\system32\DRIVERS\AVerBas.sys [2006-12-10 51584]
S3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver; C:\Windows\system32\DRIVERS\AVerCap.sys [2006-12-10 364544]
S3 AVMNgTunM780;AVerMedia M780 TVTuner Driver; C:\Windows\system32\DRIVERS\AVerTun.sys [2006-12-10 162304]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-18 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2008-01-18 220672]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-18 1380864]
S3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-01-18 1729632]
S3 ltmodem5;Agere Modem Driver; C:\Windows\system32\DRIVERS\ltmdmnt.sys [2006-11-02 503296]
S3 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2008-05-15 53168]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-18 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-18 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-18 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-18 6016]
S3 NAVENG;NAVENG; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100304.005\NAVENG.SYS []
S3 NAVEX15;NAVEX15; \??\C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\VirusDefs\20100304.005\NAVEX15.SYS []
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista; C:\Windows\system32\DRIVERS\netr28u.sys [2007-12-14 570880]
S3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2010-01-11 11586280]
S3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2010-07-13 124976]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-18 73088]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-18 83328]
S3 WUSB54GPV4SRV;Linksys Home Wireless-G USB Adaptor Driver; C:\Windows\system32\DRIVERS\rt2500usb.sys [2005-11-17 245376]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 OneCareMP;OneCare AntiSpyware and AntiVirus; C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe [2008-07-09 18704]
S2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
S2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-14 61440]
S2 msfwsvc;@C:\Program Files\Microsoft Windows OneCare Live\Firewall\\MSFWSVCResource.dll,-10000; C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe [2007-11-27 869952]
S2 NAV;Norton AntiVirus; C:\Program Files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 OcHealthMon;Windows Live OneCare Health Monitor; C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service; C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-11 240232]
S2 TomTomHOMEService;TomTomHOMEService; C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
S2 winss;Windows Live OneCare; C:\Program Files\Microsoft Windows OneCare Live\winss.exe [2010-02-05 1141112]
S2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-08-18 1529728]
S2 YahooAUService;Yahoo! Updater; C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater; c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe []
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-06-15 540472]
S3 LiveTurbineMessageService;Turbine Message Service - Live; C:\Program Files\Turbine\Turbine Download Manager\TurbineMessageService.exe []
S3 LiveTurbineNetworkService;Turbine Network Service - Live; C:\Program Files\Turbine\Turbine Download Manager\TurbineNetworkService.exe []
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-01-15 774144]
S3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-01-15 266240]
S3 Steam Client Service;Steam Client Service; C:\Program Files\Common Files\Steam\SteamService.exe [2009-07-16 316664]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]

-----------------EOF-----------------

info.txt:

info.txt logfile of random's system information tool 1.08 2010-07-14 12:49:08

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNINST.EXE -f"C:\Program Files\Adobe\Photoshop 5.0\DeIsL1.isu" -c"C:\Program Files\Adobe\Photoshop 5.0\Uninst.dll"
-->C:\Windows\UNNeroBackItUp.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
-->MsiExec /X{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{22EB2FA7-1BA0-4FFB-972F-353EC6ABA9D5}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{28B97CAB-828F-49D8-A30A-675476F9BA92}\setup.exe" -l0x9 /cont -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4E7DC12A-3597-4A94-9429-F6C6987361B1}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6813C983-427E-4511-8456-E98FCAA1A125}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DADB304-AF20-48C3-A780-4B4133A08817}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9C423CF6-2DAA-4A37-94B8-59D7ECC7DB13}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ACE66099-E18E-4037-83C8-9D182E5B9FA8}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B34B6E67-FCDD-4E03-8742-B5701427FAFB}\setup.exe" -l0x9 -removeonly
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FA6CC4B4-7741-4F8D-8E81-15C4BAB9869B}\setup.exe" -l0x9 -removeonly
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Age of Conan - Hyborian Adventures-->"C:\Program Files\Funcom\Age of Conan\unins000.exe"
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{85991ED2-010C-4930-96FA-52F43C2CE98A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ArcSoft Software Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{32DA464B-1B35-4FE6-B44C-48D6847D11C9}\setup.exe" -l0x9
Ask Toolbar-->MsiExec.exe /I{86D4B82A-ABED-442A-BE86-96357B70F4FE}
Bonjour-->MsiExec.exe /X{0CB9668D-F979-4F31-B8B8-67FE90F929F8}
CPUID CPU-Z 1.53.1-->"C:\Program Files\CPUID\CPU-Z\unins000.exe"
Defraggler-->"C:\Program Files\Defraggler\uninst.exe"
DH Driver Cleaner Professional Edition-->C:\Program Files\Driver Cleaner Pro\Uninstall.exe
GTOneCare-->MsiExec.exe /X{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
iTunes-->MsiExec.exe /I{7AB3A249-FB81-416B-917A-A2A10E74C503}
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216010FF}
LimeWire 5.5.8-->"C:\Program Files\LimeWire\uninstall.exe"
Linksys Dual-Band Wireless-N USB Network Adapter-->C:\Program Files\InstallShield Installation Information\{90EC11E4-854E-4C0F-9B4C-76D6C7CF7C68}\setup.exe -runfromtemp -l0x0409
Linksys Wireless-G USB Network Adapter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}\setup.exe" -l0x9
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB979906)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{3C3901C5-3455-3E0A-A214-0B093A5070A6}
Microsoft Office Live Add-in 1.5-->MsiExec.exe /I{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}
Microsoft Protection Service-->MsiExec.exe /I{F3B58D4E-7324-44E4-A6B3-65D2DB8D1FE9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Windows Live OneCare Resources v2.5.2900.30-->MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
Microsoft Windows OneCare Live AntiSpyware and AntiVirus-->MsiExec.exe /I{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}
Microsoft Windows OneCare Live v2.5.2900.30 Idcrl Install-->MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
Microsoft Windows OneCare Live v2.5.2900.30-->MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
Microsoft Word 2002-->MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works Suite 2006 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2006\Setup\Launcher.exe /ARP D:\
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{17E3A651-12B9-4149-BAE8-E6FB9A5ADC4F}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}
Move Networks Media Player for Internet Explorer-->C:\Users\Owner\AppData\Roaming\Move Networks\ie_bin\Uninst.exe
Mozilla Firefox (3.6.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 7 Essentials-->MsiExec.exe /I{FC98FBE9-E931-494C-8717-497185371033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Norton AntiVirus-->C:\Program Files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\2454B0AB\17.6.0.32\InstStub.exe /X
NVIDIA Display Control Panel-->C:\Program Files\NVIDIA Corporation\Uninstall\nvuninst.exe DisplayControlPanel
NVIDIA Drivers-->C:\Program Files\NVIDIA Corporation\Uninstall\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{E10DB5DA-E576-40EA-A7FC-1CB2A7B283A6}
NVIDIA Stereoscopic 3D Driver-->"C:\Program Files\NVIDIA Corporation\3D Vision\nvStInst.exe" /uninstall /ask
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
Pando Media Booster-->C:\Program Files\Pando Networks\Media Booster\uninst.exe
Picture Package Music Transfer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CE2121C6-C94D-4A73-8EA4-6943F33EE335}\setup.exe" -l0x9 -removeonly
ProxyCap-->MsiExec.exe /I{EFE5F393-1A2E-408E-A9DE-7D5C808598A6}
PX Engine-->MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
QuickTime-->MsiExec.exe /I{3D9892BB-A751-4E48-ADC8-E4289956CE1D}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Safari-->MsiExec.exe /I{582D2A53-F426-4C5E-A2E6-43C1AB36B907}
Sony Picture Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5068583-D569-468B-9755-5FBF5848F46F}\setup.exe" -l0x9 /removeonly uninstall -removeonly
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" -l0x9 UNINSTALL -removeonly
Star Wars: Knights of the Old Republic-->"C:\Program Files\Steam\steam.exe" steam://uninstall/32370
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
System Requirements Lab-->MsiExec.exe /I{92482FB3-C05B-41C6-89E7-75D985602A6E}
TomTom HOME 2.7.3.1894-->C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
TomTom HOME Visual Studio Merge Modules-->MsiExec.exe /I{8F3C31C5-9C3A-4AA8-8EFA-71290A7AD533}
Tropico 3 1.02-->"C:\Program Files\Kalypso\Tropico 3\uninst.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Ventrilo Client-->MsiExec.exe /I{789289CA-F73A-4A16-A331-54D498CE069F}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{0840B4D6-7DD1-4187-8523-E6FC0007EFB7}
Windows Live OneCare-->"C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
WinZip 11.2-->MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B6}
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"
Yahoo! Browser Services-->C:\PROGRA~1\Yahoo!\Common\UNIN_Y~1.EXE /S
Yahoo! Install Manager-->C:\Windows\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail-->C:\Windows\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\YMMAPI.dll
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Software Update-->C:\PROGRA~1\Yahoo!\SOFTWA~1\UNINST~1.EXE
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

Hosts File Missing
======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Owner-PC
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server:
{9E175B6D-F52A-11D8-B9A5-505054503030}
Record Number: 256411
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100714131625.000000-000
Event Type: Error
User:

Computer Name: Owner-PC
Event Code: 7001
Message: The Computer Browser service depends on the Server service which failed to start because of the following error:
The dependency service or group failed to start.
Record Number: 256429
Source Name: Service Control Manager
Time Written: 20100714131633.000000-000
Event Type: Error
User:

Computer Name: Owner-PC
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
BHDrvx86
ccHP
eeCtrl
IDSVix86
spldr
SRTSP
SRTSPX
SymIRON
SYMTDIv
Wanarpv6
Record Number: 256438
Source Name: Service Control Manager
Time Written: 20100714131633.000000-000
Event Type: Error
User:

Computer Name: Owner-PC
Event Code: 36
Message: The shadow copies of volume C: were aborted because the shadow copy storage could not grow due to a user imposed limit.
Record Number: 256442
Source Name: volsnap
Time Written: 20100714183157.086702-000
Event Type: Error
User:

Computer Name: Owner-PC
Event Code: 10005
Message: DCOM got error "1084" attempting to start the service MSIServer with arguments "" in order to run the server:
{000C101C-0000-0000-C000-000000000046}
Record Number: 256444
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20100714194237.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Owner-PC
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 62980
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100714131405.000000-000
Event Type: Warning
User:

Computer Name: Owner-PC
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 62983
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100714131406.000000-000
Event Type: Warning
User:

Computer Name: Owner-PC
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 62988
Source Name: Microsoft-Windows-Winlogon
Time Written: 20100714131515.000000-000
Event Type: Warning
User:

Computer Name: Owner-PC
Event Code: 4609
Message: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007043c from line 45 of d:\vistasp1_gdr\com\complus\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 62991
Source Name: Microsoft-Windows-EventSystem
Time Written: 20100714131620.000000-000
Event Type: Error
User:

Computer Name: Owner-PC
Event Code: 1015
Message: Failed to connect to server. Error: 0x8007043C
Record Number: 62994
Source Name: MsiInstaller
Time Written: 20100714194237.000000-000
Event Type: Warning
User: Owner-PC\Owner

=====Security event log=====

Computer Name: Owner-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 128350
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100714194906.304302-000
Event Type: Audit Failure
User:

Computer Name: Owner-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 128351
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100714194906.367302-000
Event Type: Audit Failure
User:

Computer Name: Owner-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 128352
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100714194906.424302-000
Event Type: Audit Failure
User:

Computer Name: Owner-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 128353
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100714194906.482302-000
Event Type: Audit Failure
User:

Computer Name: Owner-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name:   \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 128354
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20100714194906.539302-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%CommonProgramFiles%\Microsoft Shared\Windows Live;C:\Program Files\NVIDIA Corporation\PhysX\Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"asl.log"=Destination=file;OnFirstLog=command,environment,parent
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------

Title: Re: super virus of some sort
Post by: Corrine on July 14, 2010, 09:36:01 PM

Hi, dmscott84.

In addition to out-of-date and vulnerable software on your computer that needs addressing to prevent further infection, I note that you have P2P software installed.

A strong word of caution: With P2P file sharing, what means do you have of identifying or authenticating the source of the download? In addition, a file can be distributed among many hosts, and peers will provide for download the sections that they have already downloaded. This results in the distinct possibility of a distribution method in which malicious bits are mixed with with good files.

P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Note: If you can only download via safe mode with networking, the ComboFix will wok best if you boot to normal mode when running.

Disable your antivirus and anti-malware security applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.

Note: If you are unsure how to disable your security software, see the instructions in this topic at Tech Support Forum: How to disable your security applications (http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/490111-how-disable-your-security-applications.html).

Now, please run ComboFix:

Note: If infections are found, ComboFix will automatically reboot the machine to complete the removal process. Please ensure all opened windows are closed before proceeding.
Double-click ComboFix.exe on your desktop and follow the prompts.
As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)

After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)

Click "Yes" to continue scanning for malware.

When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Title: Re: super virus of some sort
Post by: dmscott84 on July 14, 2010, 10:33:49 PM

it let me download it but whatever is in my computer wont let me run the program. should i do it in safemode with networking since im unable to get it to work in normal?

Title: Re: super virus of some sort
Post by: winchester73 on July 14, 2010, 10:59:38 PM

Try renaming the file on your desktop from ComboFix.exe to dmscott84.exe, and see if it will run ...

Title: Re: super virus of some sort
Post by: Corrine on July 14, 2010, 11:22:31 PM

Another option is to run RKill first:

Please download rkill from one of the following links and save to your Desktop:

One (http://download.bleepingcomputer.com/grinler/rkill.exe), Two (http://download.bleepingcomputer.com/grinler/rkill.com),Three (http://download.bleepingcomputer.com/grinler/rkill.scr) or Four (http://download.bleepingcomputer.com/grinler/rkill.pif)

Double-click rkill to run.
A command window will open then disappear upon completion, this is normal.
Please leave rkill on the Desktop until otherwise advised.
Do NOT restart your computer after running rkill as the malware program(s) will start again.

Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.

If it still doesn't run, you may want to rename it with a different extension; i.e., ComboFix.com

Title: Re: super virus of some sort
Post by: dmscott84 on July 14, 2010, 11:23:12 PM

ok ill try that.

i also ran combofix in safemode with networking just to see if it would work. it did. here is the log from the safemode run. If i get it to run in normal mode ill show that too.

SAFE MODE WITH NETWORKING LOG:

ComboFix 10-07-14.01 - Owner 07/14/2010 17:07:13.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1502 [GMT -7:00]
Running from: c:\users\Owner\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\EfaData
c:\system volume information\EfaData\SYMEFA.DB
.
---- Previous Run -------
.
C:\install.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\system volume information\EfaData\SYMEFA.DB
c:\windows\system32\sbcrreag.dll

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 00:14 . 2010-07-15 00:14   --------   d-----w-   c:\users\Owner\AppData\Local\temp
2010-07-15 00:14 . 2010-07-15 00:14   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-07-15 00:06 . 2010-07-15 00:06   --------   d-----w-   C:\32788R22FWJFW
2010-07-14 19:48 . 2010-07-14 19:49   --------   d-----w-   C:\rsit
2010-07-14 19:48 . 2010-07-14 19:49   --------   d-----w-   c:\program files\trend micro
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\users\Owner\AppData\Roaming\Malwarebytes
2010-07-13 20:30 . 2010-04-29 22:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\programdata\Malwarebytes
2010-07-13 20:30 . 2010-04-29 22:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-13 20:16 . 2010-07-13 20:16   680   ----a-w-   c:\users\Owner\AppData\Local\d3d9caps.dat
2010-07-13 20:13 . 2010-07-13 20:13   --------   d-----w-   c:\users\Owner\AppData\Local\Tific
2010-07-13 18:26 . 2010-07-13 18:26   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-13 18:26 . 2010-07-13 18:26   --------   d-----w-   c:\windows\system32\drivers\NAV
2010-07-13 18:26 . 2010-07-13 18:26   --------   d-----w-   c:\program files\Norton AntiVirus
2010-07-13 18:19 . 2010-07-13 18:30   --------   d-----w-   c:\windows\LMI82A6.tmp
2010-07-13 09:51 . 2010-07-13 09:51   --------   d-----w-   c:\windows\LMI6DBF.tmp
2010-07-13 09:50 . 2010-07-13 09:50   69192   ----a-w-   c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-13 09:40 . 2010-07-13 09:48   --------   d-----w-   c:\windows\LMI759C.tmp
2010-07-13 09:37 . 2010-07-13 09:37   --------   d-----w-   c:\windows\LMI73A9.tmp
2010-07-13 09:32 . 2010-07-13 09:33   --------   d-----w-   c:\windows\LMI951D.tmp
2010-07-13 08:49 . 2010-07-13 09:28   --------   d-----w-   c:\windows\LMIA5EF.tmp
2010-07-13 08:24 . 2010-07-13 08:46   --------   d-----w-   c:\windows\LMI8F82.tmp
2010-07-13 04:05 . 2010-07-13 04:06   --------   d-----w-   c:\users\Owner\AppData\Local\NPE
2010-07-13 00:16 . 2010-07-13 00:16   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\ICS
2010-07-13 00:10 . 2010-07-13 00:10   --------   d-----w-   c:\windows\LMIB8A4.tmp
2010-07-13 00:09 . 2010-07-13 01:34   --------   d-----w-   c:\windows\LMI5032.tmp
2010-07-12 19:36 . 2010-07-13 18:26   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-07-12 19:21 . 2010-07-13 20:13   --------   d-----w-   c:\users\Owner\AppData\Roaming\Tific
2010-07-12 19:08 . 2010-07-14 13:05   --------   d-----w-   c:\programdata\Norton
2010-07-09 19:04 . 2010-07-09 19:04   41872   ----a-w-   c:\windows\system32\xfcodec.dll
2010-06-27 23:40 . 2010-07-13 06:03   --------   d-----w-   c:\program files\Microsoft
2010-06-27 23:40 . 2010-06-27 23:40   --------   d-----w-   c:\program files\Microsoft(10)
2010-06-27 23:38 . 2010-06-27 23:38   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-24 19:06 . 2010-04-14 17:47   293376   ----a-w-   c:\windows\system32\psisdecd.dll
2010-06-24 19:06 . 2010-04-14 17:46   428544   ----a-w-   c:\windows\system32\EncDec.dll
2010-06-24 19:05 . 2009-11-08 17:55   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2010-06-24 19:05 . 2009-11-08 17:55   49472   ----a-w-   c:\windows\system32\netfxperf.dll
2010-06-24 19:05 . 2009-11-08 17:55   297808   ----a-w-   c:\windows\system32\mscoree.dll
2010-06-24 19:05 . 2009-11-08 17:55   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
2010-06-24 19:05 . 2009-11-08 17:55   1130824   ----a-w-   c:\windows\system32\dfshim.dll
2010-06-24 01:15 . 2010-04-16 16:05   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-06-24 01:15 . 2010-04-16 14:17   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-22 01:01 . 2010-07-13 06:03   --------   d-----w-   c:\program files\iPod
2010-06-22 01:01 . 2010-06-22 01:01   --------   d-----w-   c:\program files\iPod(122)
2010-06-22 01:01 . 2010-07-13 06:03   --------   d-----w-   c:\program files\iTunes
2010-06-22 01:01 . 2010-06-22 01:02   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-22 01:01 . 2010-06-22 01:02   --------   d-----w-   c:\program files\iTunes(123)
2010-06-22 00:59 . 2010-07-13 06:03   --------   d-----w-   c:\program files\QuickTime
2010-06-22 00:59 . 2010-06-22 00:59   --------   d-----w-   c:\program files\QuickTime(165)
2010-06-22 00:54 . 2010-07-13 06:03   --------   d-----w-   c:\program files\Bonjour
2010-06-22 00:54 . 2010-06-22 00:54   --------   d-----w-   c:\program files\Bonjour(10)
2010-06-22 00:52 . 2010-06-22 00:52   72504   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 00:00 . 2010-04-25 09:24   --------   d-----w-   c:\users\Owner\AppData\Roaming\LimeWire
2010-07-14 13:18 . 2010-02-16 23:10   --------   d-----w-   c:\program files\Defraggler
2010-07-14 13:06 . 2007-01-31 17:24   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-14 12:51 . 2008-07-17 01:15   --------   d-----w-   c:\users\Owner\AppData\Roaming\Xfire
2010-07-14 11:38 . 2008-07-17 01:15   --------   d-----w-   c:\program files\Xfire
2010-07-14 11:38 . 2008-07-17 01:15   --------   d-----w-   c:\programdata\Xfire
2010-07-14 06:08 . 2010-02-17 02:23   101667   ----a-w-   c:\programdata\nvModes.dat
2010-07-13 18:26 . 2010-07-13 18:26   805   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-07-13 18:26 . 2010-07-13 18:26   7443   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-13 06:03 . 2010-06-06 07:59   --------   d-----w-   c:\users\Owner\AppData\Roaming\Winamp
2010-07-13 06:03 . 2007-11-03 06:58   --------   d-----w-   c:\users\Owner\AppData\Roaming\Ventrilo
2010-07-13 06:03 . 2007-08-17 17:58   --------   d-----w-   c:\programdata\NVIDIA
2010-07-13 06:03 . 2010-06-06 08:00   --------   d-----w-   c:\program files\Winamp Detect
2010-07-13 06:03 . 2010-06-06 07:59   --------   d-----w-   c:\program files\Winamp
2010-07-13 06:03 . 2007-02-06 01:43   --------   d-----w-   c:\program files\Microsoft Works
2010-07-13 06:03 . 2008-09-08 05:29   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-07-13 06:03 . 2010-03-29 02:08   --------   d-----w-   c:\program files\Common Files\PX Storage Engine
2010-07-13 06:03 . 2007-03-02 02:15   --------   d-----w-   c:\program files\Common Files\LightScribe
2010-07-13 06:03 . 2010-04-25 09:24   --------   d-----w-   c:\program files\Ask.com
2010-07-13 06:03 . 2007-08-12 20:12   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-10 18:27 . 2010-03-29 02:06   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-06-27 23:31 . 2010-04-26 21:43   439816   ----a-w-   c:\users\Owner\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-06-22 02:02 . 2007-07-10 22:44   --------   d-----w-   c:\users\Owner\AppData\Roaming\Apple Computer
2010-06-09 05:28 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-08 00:21 . 2010-05-22 08:13   --------   d-----w-   c:\users\Owner\AppData\Roaming\Tropico 3
2010-06-04 08:18 . 2010-03-16 23:23   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2010-06-03 10:54 . 2007-08-13 04:03   --------   d-----w-   c:\program files\Google
2010-06-03 10:48 . 2009-07-16 02:58   --------   d-----w-   c:\users\Owner\AppData\Roaming\Darkfall US
2010-06-01 20:56 . 2009-11-25 11:11   --------   d-----w-   c:\program files\Steam
2010-05-26 16:16 . 2010-06-08 20:41   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-08 20:41   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-22 08:05 . 2010-05-22 08:05   --------   d-----w-   c:\program files\Kalypso
2010-05-19 23:56 . 2010-05-19 23:55   --------   d-----w-   c:\programdata\PMB Files
2010-05-19 23:55 . 2010-05-19 23:55   --------   d-----w-   c:\program files\Pando Networks
2010-05-18 23:35 . 2010-05-18 23:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-05-15 08:09 . 2010-05-15 07:55   43520   ----a-w-   c:\windows\system32\CmdLineExt03.dll
2010-05-09 18:33 . 2010-05-09 18:33   77312   ----a-w-   c:\users\Owner\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
2010-05-04 05:59 . 2010-06-08 20:41   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-08 20:41   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-08 20:41   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-08 20:41   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-08 20:41   2036224   ----a-w-   c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 19:27   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-04-23 01:11 . 2010-04-23 01:11   658184   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-16 16:10 . 2010-06-08 20:41   1314816   ----a-w-   c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 01:15   459776   ----a-w-   c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 01:15   173056   ----a-w-   c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 01:15   2153984   ----a-w-   c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 01:15   541696   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2007-01-31 17:23 . 2007-01-31 17:23   848   --sha-w-   c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 19:11   1196936   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-16 147456]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-03 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-25 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-8-26 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-23 108544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1106000.020\ccHPx86.sys [2010-02-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSVix86.sys [2009-11-17 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1106000.020\Ironx86.SYS [2010-02-27 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NAV\1106000.020\SYMTDIV.SYS [2009-11-22 340016]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-12 240232]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 ALSysIO;ALSysIO;c:\users\Owner\AppData\Local\Temp\ALSysIO.sys

R3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\DRIVERS\AVerBas.sys [2006-12-10 51584]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\DRIVERS\AVerCap.sys [2006-12-10 364544]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\DRIVERS\AVerTun.sys [2006-12-10 162304]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-15 570880]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1106000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1106000.020\SYMEFA.SYS [2009-11-26 172592]

.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{38F16D1B-D518-4ABF-84BB-9D919E0F0F6A}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: swtor.com\www
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\tft48oag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKLM-RunOnce-<NO NAME> - (no file)
AddRemove-NAV - c:\program files\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV\2454B0AB\17.6.0.32\InstStub.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 17:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-07-14 17:15:41
ComboFix-quarantined-files.txt 2010-07-15 00:15

Pre-Run: 225,922,363,392 bytes free
Post-Run: 225,739,116,544 bytes free

- - End Of File - - AB996C325CA7E4A9BC61EEE6B6830F33

Title: Re: super virus of some sort
Post by: Corrine on July 14, 2010, 11:25:19 PM

No, don't run it again yet. Let me take a look at this log first.

Title: Re: super virus of some sort
Post by: Corrine on July 14, 2010, 11:55:59 PM

Hi, Hi, dmscott84.

Since you installed Norton, please go to add/remove programs and uninstall Windows Live OneCare. While you're there, if you have the Ask toolbar because you missed the pre-checked option when installing another program, I suggest you uninstall that as well.

Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK). Copy/Paste all of the text present inside the code box below:

Code Select

RegNull::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Folder::
c:\windows\LMI82A6.tmp
c:\windows\LMI6DBF.tmp
c:\windows\LMI759C.tmp
c:\windows\LMI73A9.tmp
c:\windows\LMI951D.tmp
c:\windows\LMIA5EF.tmp
c:\windows\LMI8F82.tmp
c:\windows\LMIB8A4.tmp
c:\windows\LMI5032.tmp

Save this as CFScript.txt and place it on your desktop.
Close any open browsers.
Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Let's also see the results of an online scan. Please go here (http://www.eset.com/onlinescan/) to run an on-line scan from ESET.

Note: It is easiest if you use Internet explorer for this scan. (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic and also let me know how things are now.

Title: Re: super virus of some sort
Post by: dmscott84 on July 15, 2010, 12:04:48 AM

it wont let me uninstall windows live onecare. it freezes and crashes during uninstall. and i cant run combofix unless its in safemode

Title: Re: super virus of some sort
Post by: Corrine on July 15, 2010, 12:15:54 AM

Run ComboFix in safe mode again and then see if you can run the online scan.

Title: Re: super virus of some sort
Post by: dmscott84 on July 15, 2010, 12:16:21 AM

ok ill try that

Title: Re: super virus of some sort
Post by: dmscott84 on July 15, 2010, 12:38:30 AM

here is the combofix log after dragging and dropping that notepad file you had me make into it.

ComboFix 10-07-14.01 - Owner 07/14/2010 18:23:08.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2046.1502 [GMT -7:00]
Running from: c:\users\Owner\Desktop\dmscott84.exe
Command switches used :: c:\users\Owner\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\system volume information\EfaData
c:\system volume information\EfaData\SYMEFA.DB
c:\windows\LMI5032.tmp
c:\windows\LMI5032.tmp\rescue.log
c:\windows\LMI5032.tmp\session.log
c:\windows\LMI6DBF.tmp
c:\windows\LMI6DBF.tmp\lmi_rescue.exe
c:\windows\LMI6DBF.tmp\logo.bmp
c:\windows\LMI6DBF.tmp\params.txt
c:\windows\LMI6DBF.tmp\ra64app.exe
c:\windows\LMI6DBF.tmp\rahook.dll
c:\windows\LMI6DBF.tmp\rescue.ico
c:\windows\LMI6DBF.tmp\rescue.log
c:\windows\LMI73A9.tmp
c:\windows\LMI73A9.tmp\chat.rtf
c:\windows\LMI73A9.tmp\ICSAgent32.dll
c:\windows\LMI73A9.tmp\lmi_rescue.exe
c:\windows\LMI73A9.tmp\LMIRhook.000.dll
c:\windows\LMI73A9.tmp\logo.bmp
c:\windows\LMI73A9.tmp\params.txt
c:\windows\LMI73A9.tmp\ra64app.exe
c:\windows\LMI73A9.tmp\rahook.dll
c:\windows\LMI73A9.tmp\rarcc.dll
c:\windows\LMI73A9.tmp\rescue.ico
c:\windows\LMI73A9.tmp\rescue.log
c:\windows\LMI73A9.tmp\session.log
c:\windows\LMI759C.tmp
c:\windows\LMI759C.tmp\chat.rtf
c:\windows\LMI759C.tmp\ICSAgent32.dll
c:\windows\LMI759C.tmp\lmi_rescue.exe
c:\windows\LMI759C.tmp\LMIRhook.000.dll
c:\windows\LMI759C.tmp\logo.bmp
c:\windows\LMI759C.tmp\params.txt
c:\windows\LMI759C.tmp\ra64app.exe
c:\windows\LMI759C.tmp\rahook.dll
c:\windows\LMI759C.tmp\rarcc.dll
c:\windows\LMI759C.tmp\rescue.ico
c:\windows\LMI759C.tmp\rescue.log
c:\windows\LMI759C.tmp\session.log
c:\windows\LMI82A6.tmp
c:\windows\LMI82A6.tmp\rescue.log
c:\windows\LMI8F82.tmp
c:\windows\LMI8F82.tmp\chat.rtf
c:\windows\LMI8F82.tmp\lmi_rescue.exe
c:\windows\LMI8F82.tmp\LMIRhook.000.dll
c:\windows\LMI8F82.tmp\params.txt
c:\windows\LMI8F82.tmp\rahook.dll
c:\windows\LMI8F82.tmp\rarcc.dll
c:\windows\LMI8F82.tmp\rescue.log
c:\windows\LMI951D.tmp
c:\windows\LMI951D.tmp\chat.rtf
c:\windows\LMI951D.tmp\ICSAgent32.dll
c:\windows\LMI951D.tmp\lmi_rescue.exe
c:\windows\LMI951D.tmp\LMIRhook.000.dll
c:\windows\LMI951D.tmp\logo.bmp
c:\windows\LMI951D.tmp\params.txt
c:\windows\LMI951D.tmp\ra64app.exe
c:\windows\LMI951D.tmp\rahook.dll
c:\windows\LMI951D.tmp\rarcc.dll
c:\windows\LMI951D.tmp\rescue.ico
c:\windows\LMI951D.tmp\rescue.log
c:\windows\LMI951D.tmp\session.log
c:\windows\LMIA5EF.tmp
c:\windows\LMIA5EF.tmp\chat.rtf
c:\windows\LMIA5EF.tmp\ICSAgent32.dll
c:\windows\LMIA5EF.tmp\lmi_rescue.exe
c:\windows\LMIA5EF.tmp\LMIRhook.000.dll
c:\windows\LMIA5EF.tmp\logo.bmp
c:\windows\LMIA5EF.tmp\params.txt
c:\windows\LMIA5EF.tmp\ra64app.exe
c:\windows\LMIA5EF.tmp\rahook.dll
c:\windows\LMIA5EF.tmp\rarcc.dll
c:\windows\LMIA5EF.tmp\rescue.ico
c:\windows\LMIA5EF.tmp\rescue.log
c:\windows\LMIA5EF.tmp\session.log
c:\windows\LMIB8A4.tmp
c:\windows\LMIB8A4.tmp\rescue.log

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 01:31 . 2010-07-15 01:31   --------   d-----w-   c:\users\Owner\AppData\Local\temp
2010-07-15 01:31 . 2010-07-15 01:31   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\temp
2010-07-15 01:31 . 2010-07-15 01:31   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-07-15 01:31 . 2010-07-15 01:31   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-07-15 01:21 . 2010-07-15 01:22   --------   d-----w-   C:\32788R22FWJFW
2010-07-14 19:48 . 2010-07-14 19:49   --------   d-----w-   C:\rsit
2010-07-14 19:48 . 2010-07-14 19:49   --------   d-----w-   c:\program files\trend micro
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\users\Owner\AppData\Roaming\Malwarebytes
2010-07-13 20:30 . 2010-04-29 22:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-07-13 20:30 . 2010-07-13 20:30   --------   d-----w-   c:\programdata\Malwarebytes
2010-07-13 20:30 . 2010-04-29 22:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-07-13 20:16 . 2010-07-13 20:16   680   ----a-w-   c:\users\Owner\AppData\Local\d3d9caps.dat
2010-07-13 20:13 . 2010-07-13 20:13   --------   d-----w-   c:\users\Owner\AppData\Local\Tific
2010-07-13 18:26 . 2010-07-13 18:26   124976   ----a-w-   c:\windows\system32\drivers\SYMEVENT.SYS
2010-07-13 18:26 . 2010-07-13 18:26   --------   d-----w-   c:\windows\system32\drivers\NAV
2010-07-13 18:26 . 2010-07-13 18:26   --------   d-----w-   c:\program files\Norton AntiVirus
2010-07-13 09:50 . 2010-07-13 09:50   69192   ----a-w-   c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2010-07-13 04:05 . 2010-07-13 04:06   --------   d-----w-   c:\users\Owner\AppData\Local\NPE
2010-07-13 00:16 . 2010-07-13 00:16   --------   d-----w-   c:\windows\system32\config\systemprofile\AppData\Local\ICS
2010-07-12 19:36 . 2010-07-13 18:26   --------   d-----w-   c:\program files\Common Files\Symantec Shared
2010-07-12 19:21 . 2010-07-13 20:13   --------   d-----w-   c:\users\Owner\AppData\Roaming\Tific
2010-07-12 19:08 . 2010-07-14 13:05   --------   d-----w-   c:\programdata\Norton
2010-07-09 19:04 . 2010-07-09 19:04   41872   ----a-w-   c:\windows\system32\xfcodec.dll
2010-06-27 23:40 . 2010-07-13 06:03   --------   d-----w-   c:\program files\Microsoft
2010-06-27 23:40 . 2010-06-27 23:40   --------   d-----w-   c:\program files\Microsoft(10)
2010-06-27 23:38 . 2010-06-27 23:38   --------   d-----w-   c:\program files\Microsoft.NET
2010-06-24 19:06 . 2010-04-14 17:47   293376   ----a-w-   c:\windows\system32\psisdecd.dll
2010-06-24 19:06 . 2010-04-14 17:46   428544   ----a-w-   c:\windows\system32\EncDec.dll
2010-06-24 19:05 . 2009-11-08 17:55   99176   ----a-w-   c:\windows\system32\PresentationHostProxy.dll
2010-06-24 19:05 . 2009-11-08 17:55   49472   ----a-w-   c:\windows\system32\netfxperf.dll
2010-06-24 19:05 . 2009-11-08 17:55   297808   ----a-w-   c:\windows\system32\mscoree.dll
2010-06-24 19:05 . 2009-11-08 17:55   295264   ----a-w-   c:\windows\system32\PresentationHost.exe
2010-06-24 19:05 . 2009-11-08 17:55   1130824   ----a-w-   c:\windows\system32\dfshim.dll
2010-06-24 01:15 . 2010-04-16 16:05   28672   ----a-w-   c:\windows\system32\Apphlpdm.dll
2010-06-24 01:15 . 2010-04-16 14:17   4240384   ----a-w-   c:\windows\system32\GameUXLegacyGDFs.dll
2010-06-22 01:01 . 2010-07-13 06:03   --------   d-----w-   c:\program files\iPod
2010-06-22 01:01 . 2010-06-22 01:01   --------   d-----w-   c:\program files\iPod(122)
2010-06-22 01:01 . 2010-07-13 06:03   --------   d-----w-   c:\program files\iTunes
2010-06-22 01:01 . 2010-06-22 01:02   --------   d-----w-   c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-06-22 01:01 . 2010-06-22 01:02   --------   d-----w-   c:\program files\iTunes(123)
2010-06-22 00:59 . 2010-07-13 06:03   --------   d-----w-   c:\program files\QuickTime
2010-06-22 00:59 . 2010-06-22 00:59   --------   d-----w-   c:\program files\QuickTime(165)
2010-06-22 00:54 . 2010-07-13 06:03   --------   d-----w-   c:\program files\Bonjour
2010-06-22 00:54 . 2010-06-22 00:54   --------   d-----w-   c:\program files\Bonjour(10)
2010-06-22 00:52 . 2010-06-22 00:52   72504   ----a-w-   c:\programdata\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-15 00:25 . 2010-04-25 09:24   --------   d-----w-   c:\users\Owner\AppData\Roaming\LimeWire
2010-07-14 13:18 . 2010-02-16 23:10   --------   d-----w-   c:\program files\Defraggler
2010-07-14 13:06 . 2007-01-31 17:24   --------   d--h--w-   c:\program files\InstallShield Installation Information
2010-07-14 12:51 . 2008-07-17 01:15   --------   d-----w-   c:\users\Owner\AppData\Roaming\Xfire
2010-07-14 11:38 . 2008-07-17 01:15   --------   d-----w-   c:\program files\Xfire
2010-07-14 11:38 . 2008-07-17 01:15   --------   d-----w-   c:\programdata\Xfire
2010-07-14 06:08 . 2010-02-17 02:23   101667   ----a-w-   c:\programdata\nvModes.dat
2010-07-13 18:26 . 2010-07-13 18:26   805   ----a-w-   c:\windows\system32\drivers\SYMEVENT.INF
2010-07-13 18:26 . 2010-07-13 18:26   7443   ----a-w-   c:\windows\system32\drivers\SYMEVENT.CAT
2010-07-13 06:03 . 2010-06-06 07:59   --------   d-----w-   c:\users\Owner\AppData\Roaming\Winamp
2010-07-13 06:03 . 2007-11-03 06:58   --------   d-----w-   c:\users\Owner\AppData\Roaming\Ventrilo
2010-07-13 06:03 . 2007-08-17 17:58   --------   d-----w-   c:\programdata\NVIDIA
2010-07-13 06:03 . 2010-06-06 08:00   --------   d-----w-   c:\program files\Winamp Detect
2010-07-13 06:03 . 2010-06-06 07:59   --------   d-----w-   c:\program files\Winamp
2010-07-13 06:03 . 2007-02-06 01:43   --------   d-----w-   c:\program files\Microsoft Works
2010-07-13 06:03 . 2008-09-08 05:29   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-07-13 06:03 . 2010-03-29 02:08   --------   d-----w-   c:\program files\Common Files\PX Storage Engine
2010-07-13 06:03 . 2007-03-02 02:15   --------   d-----w-   c:\program files\Common Files\LightScribe
2010-07-13 06:03 . 2010-04-25 09:24   --------   d-----w-   c:\program files\Ask.com
2010-07-13 06:03 . 2007-08-12 20:12   --------   d-----w-   c:\program files\Common Files\Apple
2010-07-10 18:27 . 2010-03-29 02:06   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-06-27 23:31 . 2010-04-26 21:43   439816   ----a-w-   c:\users\Owner\AppData\Roaming\Real\Update\setup3.10\setup.exe
2010-06-22 02:02 . 2007-07-10 22:44   --------   d-----w-   c:\users\Owner\AppData\Roaming\Apple Computer
2010-06-09 05:28 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-06-08 00:21 . 2010-05-22 08:13   --------   d-----w-   c:\users\Owner\AppData\Roaming\Tropico 3
2010-06-04 08:18 . 2010-03-16 23:23   --------   d-----w-   c:\program files\Common Files\Blizzard Entertainment
2010-06-03 10:54 . 2007-08-13 04:03   --------   d-----w-   c:\program files\Google
2010-06-03 10:48 . 2009-07-16 02:58   --------   d-----w-   c:\users\Owner\AppData\Roaming\Darkfall US
2010-06-01 20:56 . 2009-11-25 11:11   --------   d-----w-   c:\program files\Steam
2010-05-26 16:16 . 2010-06-08 20:41   34304   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-26 14:25 . 2010-06-08 20:41   289792   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-22 08:05 . 2010-05-22 08:05   --------   d-----w-   c:\program files\Kalypso
2010-05-19 23:56 . 2010-05-19 23:55   --------   d-----w-   c:\programdata\PMB Files
2010-05-19 23:55 . 2010-05-19 23:55   --------   d-----w-   c:\program files\Pando Networks
2010-05-18 23:35 . 2010-05-18 23:35   91424   ----a-w-   c:\windows\system32\dnssd.dll
2010-05-18 23:35 . 2010-05-18 23:35   197920   ----a-w-   c:\windows\system32\dnssdX.dll
2010-05-18 23:35 . 2010-05-18 23:35   107808   ----a-w-   c:\windows\system32\dns-sd.exe
2010-05-15 08:09 . 2010-05-15 07:55   43520   ----a-w-   c:\windows\system32\CmdLineExt03.dll
2010-05-09 18:33 . 2010-05-09 18:33   77312   ----a-w-   c:\users\Owner\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
2010-05-04 05:59 . 2010-06-08 20:41   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-08 20:41   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-05-04 05:55 . 2010-06-08 20:41   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-05-04 04:31 . 2010-06-08 20:41   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-05-01 13:53 . 2010-06-08 20:41   2036224   ----a-w-   c:\windows\system32\win32k.sys
2010-04-23 13:55 . 2010-05-25 19:27   2048   ----a-w-   c:\windows\system32\tzres.dll
2010-04-23 01:11 . 2010-04-23 01:11   658184   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-04-16 16:10 . 2010-06-08 20:41   1314816   ----a-w-   c:\windows\system32\quartz.dll
2010-04-16 16:05 . 2010-06-24 01:15   459776   ----a-w-   c:\windows\AppPatch\AcSpecfc.dll
2010-04-16 16:05 . 2010-06-24 01:15   173056   ----a-w-   c:\windows\AppPatch\AcXtrnal.dll
2010-04-16 16:05 . 2010-06-24 01:15   2153984   ----a-w-   c:\windows\AppPatch\AcGenral.dll
2010-04-16 16:05 . 2010-06-24 01:15   541696   ----a-w-   c:\windows\AppPatch\AcLayers.dll
2007-01-31 17:23 . 2007-01-31 17:23   848   --sha-w-   c:\windows\System32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-07-15_00.14.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-07-15 00:24 . 2010-07-15 01:20   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2010-07-14 23:57 . 2010-07-15 00:04   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-07-15 00:24 . 2010-07-15 01:20   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-07-14 23:57 . 2010-07-15 00:04   2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-03-28 19:11   1196936   ----a-w-   c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-03-28 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-16 147456]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2007-01-18 4349952]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-06-15 47408]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-12-03 198160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2010-05-25 37888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2010-3-30 503808]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-8-26 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-23 108544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

R1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\BASHDefs\20100211.001\BHDrvx86.sys [2010-02-11 536112]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1106000.020\ccHPx86.sys [2010-02-25 501888]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NAV_17.5.0.127\Definitions\IPSDefs\20091105.001\IDSVix86.sys [2009-11-17 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NAV\1106000.020\Ironx86.SYS [2010-02-27 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\NAV\1106000.020\SYMTDIV.SYS [2009-11-22 340016]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 NAV;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe [2010-02-25 126392]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-12 240232]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
R3 ALSysIO;ALSysIO;c:\users\Owner\AppData\Local\Temp\ALSysIO.sys

R3 AVMNgBasM780;AVerMedia M780 Base Driver;c:\windows\system32\DRIVERS\AVerBas.sys [2006-12-10 51584]
R3 AVMNgCapM780;AVerMedia M780 Audio/Video Capture Driver;c:\windows\system32\DRIVERS\AVerCap.sys [2006-12-10 364544]
R3 AVMNgTunM780;AVerMedia M780 TVTuner Driver;c:\windows\system32\DRIVERS\AVerTun.sys [2006-12-10 162304]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
R3 LiveTurbineMessageService;Turbine Message Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineMessageService.exe
R3 LiveTurbineNetworkService;Turbine Network Service - Live;c:\program files\Turbine\Turbine Download Manager\TurbineNetworkService.exe
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2007-12-15 570880]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NAV\1106000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1106000.020\SYMEFA.SYS [2009-11-26 172592]

.
Contents of the 'Scheduled Tasks' folder

2010-07-15 c:\windows\Tasks\User_Feed_Synchronization-{38F16D1B-D518-4ABF-84BB-9D919E0F0F6A}.job
- c:\windows\system32\msfeedssync.exe [2010-06-08 04:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
Trusted Zone: swtor.com\www
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\tft48oag.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-14 18:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NAV]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\17.6.0.32\ccSvcHst.exe\" /s \"NAV\" /m \"c:\program files\Norton AntiVirus\Engine\17.6.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2010-07-14 18:32:22
ComboFix-quarantined-files.txt 2010-07-15 01:32
ComboFix2.txt 2010-07-15 00:15

Pre-Run: 225,892,929,536 bytes free
Post-Run: 225,785,401,344 bytes free

- - End Of File - - 6036B9F0F8D94DD39E8FF6711333018A

Title: Re: super virus of some sort
Post by: Corrine on July 15, 2010, 01:06:16 AM

If ComboFix didn't restart your computer, please shutdown/restart. Then see if you can run the ESET online scan.

Thanks.

Title: Re: super virus of some sort
Post by: dmscott84 on July 15, 2010, 01:12:01 AM

do you want me to attempt to run eset scan in normal mode or safemode?

Title: Re: super virus of some sort
Post by: dmscott84 on July 15, 2010, 03:19:17 AM

ESET SCAN:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0e8bb742ff48804b8e5cd9b5ca02d22a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-15 02:33:22
# local_time=2010-07-14 07:33:22 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 19265 115765601 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=157806
# found=2
# cleaned=0
# scan_time=3129
C:\Users\Owner\Documents\AutoClick.exe Win32/TrojanClicker.Agent.NFX trojan 00000000000000000000000000000000 I
C:\Users\Owner\Documents\My Games\awesome\Client_EATtheDEAD.exe a variant of Win32/Packed.Themida application 00000000000000000000000000000000 I
esets_scanner_update returned -1 esets_gle=53251
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=0e8bb742ff48804b8e5cd9b5ca02d22a
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-15 03:52:26
# local_time=2010-07-14 08:52:26 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=3584 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776573 100 100 22733 115769069 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=158349
# found=0
# cleaned=0
# scan_time=4404

Title: Re: super virus of some sort
Post by: Corrine on July 15, 2010, 09:02:24 PM

ESET Scan showed two different trojans.

C:\Users\Owner\Documents\AutoClick.exe Win32/TrojanClicker.Agent.NFX trojan
C:\Users\Owner\Documents\My Games\awesome\Client_EATtheDEAD.exe a variant of Win32/Packed.Themida

You can go ahead and delete those files. I need to take another look at your ComboFix log to see if there is another trigger that I am missing.

Title: Re: super virus of some sort
Post by: Corrine on July 15, 2010, 10:52:41 PM

Let's go this route.

To determine whether the issue that you are experiencing is caused by one or more system files that are used by Windows, run the System File Checker tool. The System File Checker tool scans system files and replaces incorrect versions of the system files by using the correct versions.

To run the System File Checker tool, follow these steps:

Click Start, and then type cmd in the Start Search box.
Right-click cmd in the Programs list, and then click Run as administrator.
If you are prompted for an administrator password or confirmation, type your password or click Continue
At the command prompt, type the following line, and then press ENTER:
sfc /scannow (note the space before the backslash)
When the scan is complete, restart the computer and test to see whether the issue that you are experiencing is resolved.

Then, let's see a MBAM Fresh

Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
Once the update has been installed and the program has loaded, select Quick scan
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:
(https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FMBAM_SR.png&hash=38adbab18bc0003ecf543fafb564e34dadece253)
Click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here on Windows XP: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt and C:\Users\UserName\AppData\Roaming\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt on Windows Vista and Windows 7.
Please post contents of that file in your next reply.

Title: Re: super virus of some sort
Post by: dmscott84 on July 16, 2010, 03:29:53 AM

had to do it all in safe mode again, nothing ever works in normal mode. computer still hasnt started working correctly yet

malware bytes quick scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4317

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18928

7/15/2010 9:26:01 PM
mbam-log-2010-07-15 (21-26-01).txt

Scan type: Quick scan
Objects scanned: 128356
Time elapsed: 3 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Title: Re: super virus of some sort
Post by: Corrine on July 16, 2010, 01:50:56 PM

Did System File Checker find anything?

Title: Re: super virus of some sort
Post by: dmscott84 on July 16, 2010, 07:05:45 PM

yeah it repaired like one file

Title: Re: super virus of some sort
Post by: Corrine on July 17, 2010, 12:25:48 AM

It may be necessary to do a repair install. However, first, let's take a look at a Rootkit log.

Please download GMER Rootkit Scanner from here (http://www.gmer.net/download.php).

Double-click the .exe file. If asked to allow gmer.sys driver to load, please consent
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO
In the right panel, you will see several boxes that have been checked. UNtick the following ...
- Sections
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fi266.photobucket.com%2Falbums%2Fii277%2FsUBs_%2Fth_Gmer_initScan.gif&hash=87e8f23b2b9a62a55b762ea52eb624f5ac1da05f) (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
  Click the image to enlarge it
Then click the Scan button & wait for it to finish
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post
Save it where you can easily find it, such as your desktop, and post it in reply

**Caution** Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Note: Do not run any programs while Gmer is running.

Title: Re: super virus of some sort
Post by: Corrine on July 19, 2010, 01:18:30 AM

Hi, dmscott84.

I just learned of a problem some people are having who have Windows Live OneCare. Please see the instructions posted by Stephen Boot, as provided by Microsoft at http://social.microsoft.com/Forums/en-US/onecaregeneral/thread/d58206f4-d23a-49d2-b1ba-fb36f9bce5c1

LandzDown Forum

Security => Analysis and Malware Removal => Topic started by: dmscott84 on July 14, 2010, 10:22:02 AM