i think im infected???

View previous topic View next topic Go down

i think im infected???

Post by staydreamer on Mon Sep 14, 2009 1:48 am

Hi ,

i would really appreciate some help here guys.

i downloaded Hijackthis but when i ran it a pop up said my system wont let it 'host' or something??? so i dont know if u will be able to tell whats wrong with my laptop!

I am constantly getting a pop up warning that i have 50 or more infections on my computer..the thing is the programme that is telling me this is called 'Windows protection Suite' which isnt something i remember downloading.

I can't use Internet Explorer but i can use Mozilla Firefox.

i am also seeing a pop up saying something is trying to make a remote connecton to my computer and that it is trying to retrieve data from me and do i want to dis-allow this connection. ( which i said 'yes') but it keeps happening.

As i write this a pop up has come saying i should install urgent updates! But this looks to me like the windows protection suite thing which i think is a virus.

I also had a pop up saying spambot is trying to send a virus to my contacts.

i have no idea where to begin removing this virus...i have avast but dont know how to search and destroy a virus with it. I tried removing it with windows defenders and i thought it worked but it keeps coming back.

Please help as i really dont want it to ruin any of my files etc

Thankyou kindly

Staydreamer x

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by Origin on Mon Sep 14, 2009 2:13 am

Hello, see if you can run this version of HijackThis:
[You must be registered and logged in to see this link.]


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Mon Sep 14, 2009 2:16 am

this is what Hijackthis found and saved as a log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:19:10, on 14/09/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18813)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\ProgramData\6676c41\WI6676.exe
C:\Program Files\Hewlett-Packard\HP Advisor\SSDK04.exe
C:\Windows\system32\rundll32.exe
C:\Users\LUCEY FAMILY\Desktop\winlogon.scr
C:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" UpdateWithCreateOnce "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [440740275] C:\Users\LUCEYF~1\AppData\Local\Temp\Reg\EGAMES~1.EXE /r "C:\Users\LUCEYF~1\AppData\Local\Temp\Reg\EGAMES~1.rpd"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autorun=AUTORUN
O4 - HKCU\..\Run: [HUAWEI 3G Data Card MTS] C:\Program Files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Windows Protection Suite] "C:\ProgramData\6676c41\WI6676.exe" /s /d
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wpclsp.dll
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - [You must be registered and logged in to see this link.]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{5258DFBD-3398-4C3C-9BC8-25CB25F0BC5A}: NameServer = 217.171.135.1 217.171.132.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3956986-5516-4A7E-A6B9-505840F9DAC7}: NameServer = 217.171.135.1 217.171.132.1
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12520 bytes

Staydreamer x

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Mon Sep 14, 2009 2:19 am

Hi , thanx for replying : )

i ran the one u posted and it said the same thing as the last one. However they both still gave me a logfile to save...is this what u need to see?
thanks again

Staydreamer x

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by Origin on Mon Sep 14, 2009 2:22 am


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    O3 - Toolbar: My Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
    O4 - HKLM\..\Run: [440740275] C:\Users\LUCEYF~1\AppData\Local\Temp\Reg\EGAMES~1.EXE /r "C:\Users\LUCEYF~1\AppData\Local\Temp\Reg\EGAMES~1.rpd"
    O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL,UPF
    O4 - HKLM\..\Run: [My Web Search Bar Search Scope Monitor] "C:\PROGRA~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe" /m=2 /w /h
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
    O4 - HKCU\..\Run: [Windows Protection Suite] "C:\ProgramData\6676c41\WI6676.exe" /s /d
    O8 - Extra context menu item: &Search - [You must be registered and logged in to see this link.]
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwssvc.exe



  • Press "Fix Checked"
  • Close Hijack This.
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31483
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Mon Sep 14, 2009 3:48 am

Hi, Thanks for that, i followed ur instructions...here is the combo-fix log.

Does this mean i had a virus/s? Have they been cleaned?
D i need to do anything else?

i very much appreciate u helping me, thankyou

Staydreamer x Smile

ComboFix 09-09-13.04 - LUCEY FAMILY 14/09/2009 3:58.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1978.1043 [GMT 1:00]
Running from: c:\users\LUCEY FAMILY\Desktop\Combo-Fix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1454332243-2368961939-20836219-500
c:\$recycle.bin\S-1-5-21-2022726262-2766239192-994075664-500
c:\program files\FunWebProducts
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\2.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\2.bin\F3CJpeg.dll
c:\program files\MyWebSearch\bar\2.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\2.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\2.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\2.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\2.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\2.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\2.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\2.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\2.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\2.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\2.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\2.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\2.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3FFXTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\2.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\2.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\2.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\2.bin\M3MSG.DLL
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\M3NTSTBR.MANIFEST
c:\program files\MyWebSearch\bar\2.bin\M3OUtlcn.dll
c:\program files\MyWebSearch\bar\2.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\2.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\2.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\2.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\2.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\2.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\chrome.manifest
c:\program files\RelevantKnowledge\components\rlxg.dll
c:\program files\RelevantKnowledge\install.rdf
c:\program files\RelevantKnowledge\rlls.dll
c:\program files\RelevantKnowledge\rloci.bin
c:\program files\RelevantKnowledge\rlph.dll
c:\program files\RelevantKnowledge\rlservice.exe
c:\program files\RelevantKnowledge\rlvknlg.exe
c:\program files\RelevantKnowledge\rlxf.dll
c:\programdata\WINSPSys
c:\programdata\WINSPSys\winps.cfg
c:\users\LUCEY FAMILY\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Windows Protection Suite.lnk
c:\users\LUCEY FAMILY\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows Protection Suite.lnk
c:\users\LUCEY FAMILY\AppData\Roaming\Windows Protection Suite
c:\users\LUCEY FAMILY\AppData\Roaming\Windows Protection Suite\cookies.sqlite
c:\users\LUCEY FAMILY\AppData\Roaming\Windows Protection Suite\Instructions.ini
c:\windows\Installer\2094d.msi
c:\windows\Installer\20951.msi
c:\windows\Installer\20955.msi
c:\windows\Installer\20959.msi
c:\windows\Installer\2095d.msi
c:\windows\Installer\20965.msi
c:\windows\Installer\284a75.msi
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\NTSVc.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MyWebSearchService
-------\Service_RelevantKnowledge


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 03:08 . 2009-09-14 03:08 -------- d-----w- c:\users\THE KIDS\AppData\Local\temp
2009-09-14 03:08 . 2009-09-14 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-13 03:24 . 2009-09-13 03:24 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-13 02:23 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-13 02:23 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-13 00:33 . 2009-09-13 00:34 -------- d-sh--w- c:\programdata\6676c41
2009-09-09 18:25 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 18:25 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 18:25 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 18:25 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 18:25 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 18:25 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 18:25 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 18:25 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 18:25 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-09 18:25 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 18:25 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 18:23 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 18:23 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 18:23 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 18:23 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 18:23 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 18:22 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Apple Computer
2009-09-03 00:06 . 2009-09-03 01:09 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Local\Microsoft Games
2009-08-30 02:04 . 2009-08-30 02:04 -------- d-----w- c:\programdata\muvee Technologies
2009-08-30 01:59 . 2009-08-30 03:02 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\muvee Technologies
2009-08-28 21:46 . 2009-08-28 21:46 -------- d-----w- c:\users\LUCEY FAMILY\clayton's folder
2009-08-26 19:09 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-24 12:39 . 2009-08-24 12:39 -------- d-----w- c:\program files\Disney Interactive
2009-08-18 13:43 . 2009-08-18 13:43 -------- d-----w- c:\users\THE KIDS\AppData\Local\Apple
2009-08-18 10:43 . 2009-09-03 22:38 -------- d-----w- c:\users\THE KIDS\AppData\Local\Apple Computer
2009-08-15 12:17 . 2009-08-15 12:17 -------- d-----w- c:\users\THE KIDS\AppData\Local\Hewlett-Packard
2009-08-15 12:17 . 2009-08-15 12:17 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Hewlett-Packard
2009-08-15 12:16 . 2009-08-15 12:16 5972 ----a-w- c:\users\THE KIDS\AppData\Local\d3d9caps.dat
2009-08-15 11:17 . 2009-09-12 15:39 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\LimeWire
2009-08-15 10:28 . 2009-08-15 10:28 -------- d-----w- c:\users\THE KIDS\AppData\Local\Mozilla

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 02:50 . 2009-09-14 01:14 0 ---ha-w- c:\users\LUCEY FAMILY\BIT135B.tmp
2009-09-13 03:15 . 2009-05-11 18:59 1356 ----a-w- c:\users\LUCEY FAMILY\AppData\Local\d3d9caps.dat
2009-09-13 02:32 . 2008-10-28 13:11 -------- d-----w- c:\programdata\Microsoft Help
2009-09-13 01:02 . 2009-06-28 20:35 -------- d-----w- c:\program files\Common Files\Apple
2009-09-11 00:39 . 2008-10-28 12:32 -------- d-----w- c:\program files\HP Games
2009-09-11 00:25 . 2008-10-28 12:32 -------- d-----w- c:\programdata\WildTangent
2009-09-07 18:49 . 2009-08-09 09:57 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\LimeWire
2009-08-25 12:42 . 2009-05-08 21:14 -------- d-----w- c:\program files\Google
2009-08-24 12:40 . 2008-10-28 12:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-15 02:36 . 2009-08-15 02:36 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\DivX
2009-08-14 14:58 . 2009-08-14 14:58 75264 ----a-w- c:\users\THE KIDS\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 14:58 . 2009-08-14 14:58 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Birdstep Technology
2009-08-13 02:55 . 2009-08-09 09:57 -------- d-----w- c:\program files\LimeWire
2009-08-06 01:01 . 2009-06-30 01:54 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-08-06 00:04 . 2009-08-06 00:04 -------- d-----w- c:\program files\Alwil Software
2009-08-05 23:27 . 2008-10-28 13:26 -------- d-----w- c:\program files\Java
2009-08-05 23:25 . 2009-06-30 02:12 -------- d-----w- c:\program files\Eusing Free Registry Defrag
2009-08-05 23:24 . 2009-06-24 18:15 -------- d-----w- c:\program files\Pixarra
2009-08-05 23:24 . 2009-07-22 23:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 23:22 . 2009-05-09 14:04 -------- d-----w- c:\programdata\Skype
2009-08-05 23:21 . 2009-06-16 19:28 -------- d-----w- c:\program files\Zultrax P2P
2009-08-05 23:20 . 2009-05-08 19:49 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\uTorrent
2009-08-05 23:00 . 2009-08-04 00:12 -------- d-----w- c:\program files\InterActual
2009-08-05 22:57 . 2009-06-24 18:01 -------- d-----w- c:\program files\buZZ
2009-08-05 17:31 . 2009-08-04 17:28 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-04 17:03 . 2009-07-08 14:11 -------- d-----w- c:\programdata\avg8
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 04:23 . 2009-06-14 12:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 23:11 . 2009-07-22 23:11 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-22 23:11 . 2009-07-22 23:11 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-07-21 21:52 . 2009-07-28 18:25 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 18:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 18:25 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 18:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 22:38 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 22:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 22:38 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 22:38 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 22:38 7680 ----a-w- c:\windows\system32\spwmp.dll
2008-10-28 12:40 . 2008-10-28 12:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"HUAWEI 3G Data Card MTS"="c:\program files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [2008-01-27 344064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-08 39408]
"Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-08 68592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-10-21 468264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-6-2 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ac,c2,29,cd,56,fe,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3A69561E-60A6-4502-80F6-4C7C966CD1B1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{222B57A2-B02D-4EE1-B216-780B07322A43}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6CDC11EA-B4BA-4917-9658-626879B6D7F4}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{B0A347FF-D786-423D-A945-550937B2B249}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{687BC71D-CD96-44D0-9CF0-594E4DB0C682}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{E047E863-2F47-42DA-BDB4-795C27289738}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11A05523-30A4-418C-8DEB-9B6FA6E7B837}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6F254348-7DC7-42B4-B308-452023BE6827}"= UDP:c:\windows\Temp\~osAEC7.tmp\rlvknlg.exe:rlvknlg.exe
"TCP Query User{560742F8-DD55-4183-8B18-3549BD840EBF}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{F080AEAD-6837-4910-9094-D291A1D1D7F6}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"{DD95CC97-A55C-44C6-8192-17E609C73659}"= UDP:c:\windows\Temp\~os2829.tmp\rlvknlg.exe:rlvknlg.exe
"{6A635151-82A4-4A92-8F9A-DBFA3475CBBE}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{423384F9-7925-4E49-8EF9-54F6DC96F518}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{932F80CB-5841-4383-80A4-FF3F443D1E3D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{F128729C-7F86-49D9-9692-E1449C134A60}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A7F5B494-9B75-491F-A90B-A31FE56B0B3D}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{98CEA3C3-783E-4E2E-B7B7-537D1EDB5CA5}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{DE9A5AD3-C9F5-4724-82B5-963EACFFB1E2}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{6A78A613-956E-405F-98D7-62D6BC807B6D}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [06/08/2009 01:04 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [06/08/2009 01:04 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [06/08/2009 01:04 51792]
R2 ezSharedSvc;Easybits Shared Services for Windows;c:\windows\system32\svchost.exe -k netsvcs [21/01/2008 03:33 21504]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [28/10/2008 14:29 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [28/10/2008 13:29 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [29/06/2008 15:52 112128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ezSharedSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\HPCeeScheduleForLUCEY FAMILY.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-28 18:34]

2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{7F387A97-AE76-4D19-8487-C14C85FC8326}.job
- c:\windows\system32\msfeedssync.exe [2009-07-28 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {5258DFBD-3398-4C3C-9BC8-25CB25F0BC5A} = 217.171.135.1 217.171.132.1
TCP: {D3956986-5516-4A7E-A6B9-505840F9DAC7} = 217.171.135.1 217.171.132.1
FF - ProfilePath - c:\users\LUCEY FAMILY\AppData\Roaming\Mozilla\Firefox\Profiles\g8nm7run.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
HKLM-Run-My Web Search Bar Search Scope Monitor - c:\progra~1\MYWEBS~1\bar\2.bin\m3SrchMn.exe



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-09-14 4:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 03:17

Pre-Run: 103,479,087,104 bytes free
Post-Run: 104,368,005,120 bytes free

424 --- E O F --- 2009-09-13 01:28

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by Belahzur on Mon Sep 14, 2009 9:20 pm

Now open a new notepad file.
Input this into the notepad file:

Driver::
ezSharedSvc

NetSvc::
ezSharedSvc

Firefox::FF - ProfilePath - c:\users\LUCEY FAMILY\AppData\Roaming\Mozilla\Firefox\Profiles\g8nm7run.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Mon Sep 14, 2009 11:05 pm

Hi there, tahks for ur reply Big Grin

I did as u said and here is the log:

ComboFix 09-09-13.04 - LUCEY FAMILY 14/09/2009 23:14.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.44.1033.18.1978.750 [GMT 1:00]
Running from: c:\users\LUCEY FAMILY\Desktop\Combo-Fix.exe
Command switches used :: c:\users\LUCEY FAMILY\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ezSharedSvc


((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 22:30 . 2009-09-14 22:30 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-14 22:30 . 2009-09-14 22:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-14 03:17 . 2009-09-14 22:31 -------- d-----w- c:\users\THE KIDS\AppData\Local\temp
2009-09-13 03:24 . 2009-09-13 03:24 -------- d-----w- c:\programdata\Office Genuine Advantage
2009-09-13 02:23 . 2009-08-29 00:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-13 02:23 . 2009-08-29 00:27 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-09-13 00:33 . 2009-09-13 00:34 -------- d-sh--w- c:\programdata\6676c41
2009-09-09 18:25 . 2009-08-14 16:27 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-09-09 18:25 . 2009-08-14 13:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-09-09 18:25 . 2009-08-14 13:48 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-09 18:25 . 2009-08-14 13:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-09-09 18:25 . 2009-08-14 13:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-09-09 18:25 . 2009-08-14 13:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-09-09 18:25 . 2009-08-14 13:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-09-09 18:25 . 2009-08-14 13:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-09-09 18:25 . 2009-08-14 13:48 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-09-09 18:25 . 2009-08-14 15:53 17920 ----a-w- c:\windows\system32\netevent.dll
2009-09-09 18:25 . 2009-08-14 13:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-09-09 18:23 . 2009-07-11 19:01 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-09-09 18:23 . 2009-07-11 19:01 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-09-09 18:23 . 2009-07-11 19:01 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-09-09 18:23 . 2009-07-11 17:03 127488 ----a-w- c:\windows\system32\L2SecHC.dll
2009-09-09 18:23 . 2009-07-11 19:01 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-09-09 18:22 . 2009-06-10 11:41 2868224 ----a-w- c:\windows\system32\mf.dll
2009-09-03 22:38 . 2009-09-03 22:38 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Apple Computer
2009-09-03 00:06 . 2009-09-03 01:09 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Local\Microsoft Games
2009-08-30 02:04 . 2009-08-30 02:04 -------- d-----w- c:\programdata\muvee Technologies
2009-08-30 01:59 . 2009-08-30 03:02 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\muvee Technologies
2009-08-28 21:46 . 2009-08-28 21:46 -------- d-----w- c:\users\LUCEY FAMILY\clayton's folder
2009-08-26 19:09 . 2009-06-22 10:09 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-24 12:39 . 2009-08-24 12:39 -------- d-----w- c:\program files\Disney Interactive
2009-08-18 13:43 . 2009-08-18 13:43 -------- d-----w- c:\users\THE KIDS\AppData\Local\Apple
2009-08-18 10:43 . 2009-09-03 22:38 -------- d-----w- c:\users\THE KIDS\AppData\Local\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 22:11 . 2009-09-14 01:14 0 ---ha-w- c:\users\LUCEY FAMILY\BIT135B.tmp
2009-09-13 03:15 . 2009-05-11 18:59 1356 ----a-w- c:\users\LUCEY FAMILY\AppData\Local\d3d9caps.dat
2009-09-13 02:32 . 2008-10-28 13:11 -------- d-----w- c:\programdata\Microsoft Help
2009-09-13 01:02 . 2009-06-28 20:35 -------- d-----w- c:\program files\Common Files\Apple
2009-09-12 15:39 . 2009-08-15 11:17 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\LimeWire
2009-09-11 00:39 . 2008-10-28 12:32 -------- d-----w- c:\program files\HP Games
2009-09-11 00:25 . 2008-10-28 12:32 -------- d-----w- c:\programdata\WildTangent
2009-09-07 18:49 . 2009-08-09 09:57 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\LimeWire
2009-08-25 12:42 . 2009-05-08 21:14 -------- d-----w- c:\program files\Google
2009-08-24 12:40 . 2008-10-28 12:14 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-17 16:10 . 2009-08-06 00:04 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2009-08-06 00:04 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2009-08-06 00:04 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2009-08-06 00:04 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2009-08-06 00:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2009-08-06 00:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2009-08-06 00:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-15 12:17 . 2009-08-15 12:17 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Hewlett-Packard
2009-08-15 12:16 . 2009-08-15 12:16 5972 ----a-w- c:\users\THE KIDS\AppData\Local\d3d9caps.dat
2009-08-15 02:36 . 2009-08-15 02:36 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\DivX
2009-08-14 14:58 . 2009-08-14 14:58 75264 ----a-w- c:\users\THE KIDS\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-14 14:58 . 2009-08-14 14:58 -------- d-----w- c:\users\THE KIDS\AppData\Roaming\Birdstep Technology
2009-08-13 02:55 . 2009-08-09 09:57 -------- d-----w- c:\program files\LimeWire
2009-08-06 01:01 . 2009-06-30 01:54 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2009-08-06 00:04 . 2009-08-06 00:04 -------- d-----w- c:\program files\Alwil Software
2009-08-05 23:27 . 2008-10-28 13:26 -------- d-----w- c:\program files\Java
2009-08-05 23:25 . 2009-06-30 02:12 -------- d-----w- c:\program files\Eusing Free Registry Defrag
2009-08-05 23:24 . 2009-06-24 18:15 -------- d-----w- c:\program files\Pixarra
2009-08-05 23:24 . 2009-07-22 23:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-05 23:22 . 2009-05-09 14:04 -------- d-----w- c:\programdata\Skype
2009-08-05 23:21 . 2009-06-16 19:28 -------- d-----w- c:\program files\Zultrax P2P
2009-08-05 23:20 . 2009-05-08 19:49 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\uTorrent
2009-08-05 23:00 . 2009-08-04 00:12 -------- d-----w- c:\program files\InterActual
2009-08-05 22:57 . 2009-06-24 18:01 -------- d-----w- c:\program files\buZZ
2009-08-05 17:31 . 2009-08-04 17:28 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-04 17:03 . 2009-07-08 14:11 -------- d-----w- c:\programdata\avg8
2009-08-03 14:07 . 2009-08-03 14:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 14:07 . 2009-08-03 14:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 14:07 . 2009-08-03 14:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-25 04:23 . 2009-06-14 12:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 23:11 . 2009-07-22 23:11 -------- d-----w- c:\users\LUCEY FAMILY\AppData\Roaming\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1
2009-07-22 23:11 . 2009-07-22 23:11 -------- d-----w- c:\program files\BBC iPlayer Desktop
2009-07-21 21:52 . 2009-07-28 18:25 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-28 18:25 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-28 18:25 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-28 18:25 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 13:54 . 2009-08-12 22:38 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 22:37 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 22:38 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 22:38 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 22:38 7680 ----a-w- c:\windows\system32\spwmp.dll
2008-10-28 12:40 . 2008-10-28 12:30 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-27 14:55 . 2009-09-14 03:32 65536 c:\windows\tracing\RASPPTP.BIN
- 2009-06-27 14:55 . 2009-06-30 02:15 65536 c:\windows\tracing\RASPPTP.BIN
- 2009-06-27 14:55 . 2009-06-30 02:15 65536 c:\windows\tracing\RASL2TP.BIN
+ 2009-06-27 14:55 . 2009-09-14 03:32 65536 c:\windows\tracing\RASL2TP.BIN
+ 2009-06-27 14:55 . 2009-09-14 03:32 65536 c:\windows\tracing\IPSEC.BIN
- 2009-06-27 14:55 . 2009-06-30 02:15 65536 c:\windows\tracing\IPSEC.BIN
+ 2008-01-21 01:58 . 2009-09-14 03:40 52602 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2009-01-15 21:42 . 2009-09-14 03:11 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-15 21:42 . 2009-09-14 21:09 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-15 21:42 . 2009-09-14 21:09 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-15 21:42 . 2009-09-14 03:11 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-15 21:42 . 2009-09-14 21:09 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-15 21:42 . 2009-09-14 03:11 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-09-14 04:13 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-09-13 02:33 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-09-13 02:33 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-09-14 04:13 51200 c:\windows\inf\infpub.dat
+ 2009-08-15 12:17 . 2009-09-14 16:58 3312 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1454332243-2368961939-20836219-1001_UserData.bin
+ 2009-05-08 17:49 . 2009-09-14 22:35 9162 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1454332243-2368961939-20836219-1000_UserData.bin
+ 2009-09-14 22:33 . 2009-09-14 22:33 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-09-13 02:21 . 2009-08-06 13:45 100352 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22909_none_846b4b875fcce288\iecompat.dll
+ 2009-09-13 02:21 . 2009-08-06 03:44 100352 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18819_none_83d6ded046b75eaf\iecompat.dll
+ 2009-06-27 14:55 . 2009-09-14 03:32 131072 c:\windows\tracing\RASSSTP.BIN
+ 2006-11-02 13:02 . 2009-09-14 22:35 102334 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 10:33 . 2009-09-13 09:06 600378 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-09-14 17:01 600378 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-09-13 09:06 105852 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-09-14 17:01 105852 c:\windows\System32\perfc009.dat
+ 2008-05-15 01:35 . 2008-05-15 01:35 237568 c:\windows\System32\DriverStore\FileRepository\waherza.inf_cfd9fde5\UCI32A30.dll
+ 2008-10-03 02:39 . 2008-10-03 02:39 222208 c:\windows\System32\DriverStore\FileRepository\waherza.inf_cfd9fde5\CHDRT32.sys
- 2008-06-05 16:58 . 2008-06-05 16:58 222208 c:\windows\System32\drivers\CHDRT32.sys
+ 2008-10-03 02:39 . 2008-10-03 02:39 222208 c:\windows\System32\drivers\CHDRT32.sys
+ 2009-05-08 19:37 . 2009-09-14 22:32 702240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2006-11-02 10:25 . 2009-09-13 02:33 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-09-14 04:13 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:22 . 2009-09-14 04:05 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
- 2006-11-02 10:22 . 2009-09-13 02:58 6291456 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2008-05-13 06:26 . 2008-05-13 06:26 1024000 c:\windows\System32\DriverStore\FileRepository\waherza.inf_cfd9fde5\UIU32a.exe
+ 2008-10-03 06:33 . 2008-10-03 06:33 1870848 c:\windows\System32\DriverStore\FileRepository\waherza.inf_cfd9fde5\CnxtAp32.dll
+ 2008-06-05 17:06 . 2008-10-03 06:33 1870848 c:\windows\System32\CnxtAp32.dll
- 2008-06-05 17:06 . 2008-06-05 17:06 1870848 c:\windows\System32\CnxtAp32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"HPAdvisor"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2008-09-30 972080]
"HUAWEI 3G Data Card MTS"="c:\program files\Huawei technologies\Huawei UMTS Data Card\3 USB Modem.exe" [2008-01-27 344064]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-05-08 39408]
"Sidebar"="c:\program files\windows sidebar\sidebar.exe" [2009-04-11 1233920]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-12-24 222504]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-05-08 68592]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-10-21 468264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-6-2 670256]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ac,c2,29,cd,56,fe,c9,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{3A69561E-60A6-4502-80F6-4C7C966CD1B1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{222B57A2-B02D-4EE1-B216-780B07322A43}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6CDC11EA-B4BA-4917-9658-626879B6D7F4}"= c:\program files\CyberLink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{B0A347FF-D786-423D-A945-550937B2B249}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{687BC71D-CD96-44D0-9CF0-594E4DB0C682}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{E047E863-2F47-42DA-BDB4-795C27289738}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{11A05523-30A4-418C-8DEB-9B6FA6E7B837}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{6F254348-7DC7-42B4-B308-452023BE6827}"= UDP:c:\windows\Temp\~osAEC7.tmp\rlvknlg.exe:rlvknlg.exe
"TCP Query User{560742F8-DD55-4183-8B18-3549BD840EBF}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= UDP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"UDP Query User{F080AEAD-6837-4910-9094-D291A1D1D7F6}c:\\program files\\huawei technologies\\huawei umts data card\\3 usb modem.exe"= TCP:c:\program files\huawei technologies\huawei umts data card\3 usb modem.exe:3 USB Modem
"{DD95CC97-A55C-44C6-8192-17E609C73659}"= UDP:c:\windows\Temp\~os2829.tmp\rlvknlg.exe:rlvknlg.exe
"{6A635151-82A4-4A92-8F9A-DBFA3475CBBE}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{423384F9-7925-4E49-8EF9-54F6DC96F518}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{932F80CB-5841-4383-80A4-FF3F443D1E3D}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{F128729C-7F86-49D9-9692-E1449C134A60}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{A7F5B494-9B75-491F-A90B-A31FE56B0B3D}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{98CEA3C3-783E-4E2E-B7B7-537D1EDB5CA5}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{DE9A5AD3-C9F5-4724-82B5-963EACFFB1E2}"= UDP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe
"{6A78A613-956E-405F-98D7-62D6BC807B6D}"= TCP:c:\program files\RelevantKnowledge\rlvknlg.exe:rlvknlg.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [06/08/2009 01:04 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [06/08/2009 01:04 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [06/08/2009 01:04 53328]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [28/10/2008 14:29 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [28/10/2008 13:29 193840]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI;c:\windows\System32\drivers\IntcHdmi.sys [29/06/2008 15:52 112128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-09-14 c:\windows\Tasks\HPCeeScheduleForLUCEY FAMILY.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-28 18:34]

2009-09-14 c:\windows\Tasks\User_Feed_Synchronization-{7F387A97-AE76-4D19-8487-C14C85FC8326}.job
- c:\windows\system32\msfeedssync.exe [2009-07-28 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\windows\system32\wpclsp.dll
TCP: {20104F07-A437-44DB-81D7-3455F1A4D7D2} = 217.171.135.1 217.171.132.1
TCP: {5258DFBD-3398-4C3C-9BC8-25CB25F0BC5A} = 217.171.135.1 217.171.132.1
FF - ProfilePath - c:\users\LUCEY FAMILY\AppData\Roaming\Mozilla\Firefox\Profiles\g8nm7run.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-09-14 23:33
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0007\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0008\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0009\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0010\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0011\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0012\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0013\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0014\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0015\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Alwil Software\Avast4\ashDisp.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-09-14 23:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 22:39
ComboFix2.txt 2009-09-14 03:17

Pre-Run: 104,193,732,608 bytes free
Post-Run: 104,198,082,560 bytes free

373 --- E O F --- 2009-09-14 21:48

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by Belahzur on Mon Sep 14, 2009 11:25 pm

Hello.
One more time, I made a mistake in my script.

Now open a new notepad file.
Input this into the notepad file:

Firefox::
FF - ProfilePath - c:\users\LUCEY FAMILY\AppData\Roaming\Mozilla\Firefox\Profiles\g8nm7run.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMyWebS.dll

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Mon Sep 14, 2009 11:59 pm

hi, i just ran combo fix again and while the log was being compiled a pop up said windows has encountered a critical something or other and services and something else has stopped working and windows will re boot in 60 seconds and to save my work now. Then the log came up but instead of saving it i exited by mistake, does this mean i will have to repeat ur instructions again and put ur script into combofix or is it already there so i should just run it without putting ur script in again???

sorry for the mistake : (

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

Re: i think im infected???

Post by Belahzur on Tue Sep 15, 2009 5:44 pm

Hello.
It's okay, don't need to repeat, Combofix will have still done it's job.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Re: i think im infected???

Post by staydreamer on Tue Sep 15, 2009 9:38 pm

Hi, it doesnt say run or have a box to write in when i go to start...what should i do?

thanks for helping me out guys ...i really appreciate ur help Big Grin

staydreamer x

staydreamer
Novice
Novice

Posts Posts : 9
Joined Joined : 2009-09-14
Gender Gender : Female
OS OS : WINDOWS XP
Points Points : 26415
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum