Dr. Guard and other stuff

View previous topic View next topic Go down

Dr. Guard and other stuff

Post by ltlfroggie on Fri Mar 12, 2010 1:32 pm

Daughter was on my laptop (yeah...I know)...called me and said some message popped up that I had a virus and did it want to click this button to clean it. I told her no, but it had already infiltrated my computer.

I can't even boot my computer in regular mode, so I'm in safe mode (I'm writing this on our desktop). The only thing I see different is a new program called Dr. Guard.

I know this is going to be difficult using two different computers...

Help!

Jackie

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by Dr Jay on Fri Mar 12, 2010 3:17 pm

Hello! We need to do some diagnostics to get started.

1. Please download [You must be registered and logged in to see this link.] by noahdfear.
  • Save it to your desktop.
  • Double-click profiles.exe and post its log when you reply


2. Download [You must be registered and logged in to see this link.] by ad13 and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.


3. Please download [You must be registered and logged in to see this link.] by me, and save to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  • Double-click on Cheetah-Anti-Rogue.cmd to start.
  • It will finish quickly and launch a log.
  • Post the contents of it in your next reply.


4. In your next reply, please post the following logs for my review:
  • Profiles log (1)
  • Win32kDiag log (2)
  • Cheetah log (3)


Thanks! Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sat Mar 13, 2010 2:24 pm

How do I do all of this while on a different computer? My laptop will only go into safe mode...I'm on a different computer right now.

Thanks.

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sat Mar 13, 2010 3:09 pm

I was able to burn the programs to a CD and put them onto my laptop, but I can't post the logs because I don't know how to get them back off my laptop Let me think CD burner doesn't work in Safe Mode I'm guessing?

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sat Mar 13, 2010 3:20 pm

I"m running Win32kDiag.exe on my laptop right now and it seems to have stopped at

Cannot access: C:\WINDOWS\system32\drivers\nptly.sys

Any thoughts? It has been there for at least the last 10 minutes...

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sat Mar 13, 2010 3:36 pm

Only because it is easy to type - the Cheetah-Anti-Rogue log is this:

Microsoft Windows XP (version 5.1.2600)
date: 3/10/2010 - Time: 15:55:54 - Arch.: x86 (note by me...my clock never updates itself...dumb clock)

-- Malware removal tools check --

Malwarebytes' Anti-Malware
SUPERAntiSpyware

--Known infection--

C:\Program Files\Internet Explorer\wmpscfgs.exe (Trj.Agent)
C:\DOCUME~1\Mine\LOCALS~1\Temp\asr64_ldm.exe (Dr. Guard.RGE)
C:\Program Files\Dr. Guard (Dr. Guard.RGE)

Extra message: Detection only.


EOF

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by Dr Jay on Sat Mar 13, 2010 6:51 pm

Please download ComboFix from [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Rename ComboFix.exe to commy.exe before you save it to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found [You must be registered and logged in to see this link.]
  • Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console


Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sun Mar 14, 2010 12:21 am

ComboFix 10-03-13.01 - Mine 03/13/2010 17:20:36.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.695 [GMT -6:00]
Running from: c:\documents and settings\Mine\desktop\commy.exe
Command switches used :: /stepdel

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll
c:\program files\Dr. Guard
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003
c:\windows\system32\hetiluso.dll
c:\windows\system32\sisifeme.exe
c:\windows\TEMP\logishrd\LVPrcInj02.dll
c:\docume~1\Mine\LOCALS~1\Temp\lsass.exe
c:\documents and settings\All Users\Application Data\_VOIDmainqt.dll
c:\documents and settings\Mine\agrsmmsg .exe
c:\documents and settings\Mine\cfsserv .exe
c:\documents and settings\Mine\Local Settings\Application Data\av.exe
c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\k01oP03m.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\m1B6MM81.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\OByMa.jpg
c:\documents and settings\Mine\Local Settings\Temporary Internet Files\YXbNmYaa.jpg
c:\documents and settings\Mine\My Documents\ZbThumbnail.info
c:\documents and settings\Mine\ndstray .exe
c:\documents and settings\Mine\rundll32 .exe
c:\documents and settings\Mine\rundll32.exe
c:\documents and settings\Mine\tctrliohook .exe
c:\documents and settings\Mine\tdispvol .exe
c:\documents and settings\Mine\tfncky .exe
c:\documents and settings\Mine\tpsmain .exe
c:\documents and settings\Mine\zoominghook .exe
C:\LOG136.tmp
C:\LOG19A.tmp
C:\LOG1E5.tmp
c:\program files\Adobe\acrotray .exe
c:\program files\Dr. Guard\about.ico
c:\program files\Dr. Guard\activate.ico
c:\program files\Dr. Guard\buy.ico
c:\program files\Dr. Guard\drg.db
c:\program files\Dr. Guard\drgext.dll
c:\program files\Dr. Guard\drghook.dll
c:\program files\Dr. Guard\drguard.exe
c:\program files\Dr. Guard\help.ico
c:\program files\Dr. Guard\scan.ico
c:\program files\Dr. Guard\settings.ico
c:\program files\Dr. Guard\uninstall.exe
c:\program files\Dr. Guard\update.ico
c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003\desktop.ini
c:\recycler\S-1-5-21-1624380954-1207379783-2283124489-1003\INFO2
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\system32\_VOIDefulelscfb.dll
c:\windows\system32\_VOIDfqfmoionio.dat
c:\windows\system32\_VOIDhdrubwgfcq.dll
c:\windows\system32\_VOIDjgitddmvoe.dll
c:\windows\system32\_VOIDmfeklnmal.dll
c:\windows\system32\6to4v32.dll
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\certstore.dat
c:\windows\system32\chhbym.dll
c:\windows\system32\ctfmon .exe
c:\windows\system32\dmeshw.dll
c:\windows\system32\fesxo1i.dll
c:\windows\system32\hkcmd .exe
c:\windows\system32\Iasex.dll
c:\windows\system32\igfxpers .exe
c:\windows\system32\igfxtray .exe
c:\windows\system32\ldyuoc.dll
c:\windows\system32\miropubi.dll
c:\windows\system32\powermgr.sys
c:\windows\system32\rundll32 .exe
c:\windows\system32\tctrliohook .exe
c:\windows\system32\tdispvol .exe
c:\windows\system32\Thumbs.db
c:\windows\system32\tpsmain .exe
c:\windows\system32\uhglov.dll
c:\windows\system32\zijevari.dll
c:\windows\system32\zoominghook .exe
c:\windows\system32\zumefipo.dll
c:\windows\Tasks\jbkpfnoa.job

----- BITS: Possible infected sites -----

[You must be registered and logged in to see this link.]
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy__VOIDd.sys
-------\Legacy__VOIDEPMKPYLBEQ
-------\Legacy__VOIDHXJIPORNSI
-------\Service__VOIDd.sys
-------\Service__VOIDepmkpylbeq
-------\Service__VOIDhxjipornsi
-------\Service_6to4
-------\Service_Ias
-------\Legacy_powermgr
-------\Service_powermgr


((((((((((((((((((((((((( Files Created from 2010-02-13 to 2010-03-13 )))))))))))))))))))))))))))))))
.

2010-03-13 23:36 . 2010-03-13 23:36 -------- d-----w- c:\windows\LastGood
2010-03-13 23:36 . 2010-03-13 23:36 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-03-11 00:48 . 2010-03-11 00:48 102400 --sh--w- c:\windows\system32\pafuhudi.dll
2010-03-11 00:48 . 2010-03-11 00:48 90112 --sh--w- c:\windows\system32\fatifera.dll
2010-03-11 00:48 . 2010-03-11 00:48 49152 --sh--w- c:\windows\system32\desedefi.dll
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\cfsserv.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tdispvol.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tfncky.exe
2010-03-11 00:46 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tctrliohook.exe
2010-03-11 00:45 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\zoominghook.exe
2010-03-11 00:45 . 2010-03-10 21:46 40448 ----a-w- c:\documents and settings\Mine\tpsmain.exe
2010-03-11 00:45 . 2010-03-13 23:56 823296 ----a-w- c:\windows\system32\drivers\nptly.sys
2010-03-11 00:45 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\ndstray.exe
2010-03-11 00:45 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\agrsmmsg.exe
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-----w- c:\windows\_VOIDhxjipornsi
2010-03-11 00:45 . 2010-03-11 00:45 -------- d-----w- c:\windows\_VOIDepmkpylbeq
2010-03-11 00:44 . 2010-03-13 23:21 -------- d-----w- c:\documents and settings\Mine\Local Settings\Application Data\Windows Server
2010-03-10 22:03 . 2010-03-10 21:44 -------- d-----w- C:\Commy
2010-03-10 22:02 . 2010-03-10 22:02 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\cfsserv.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\tfncky.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\ndstray.exe
2010-03-10 22:01 . 2010-03-10 22:01 40448 ----a-w- c:\windows\system32\agrsmmsg.exe
2010-03-10 21:47 . 2010-03-13 23:12 -------- d-----w- C:\Commy31524C
2010-03-10 21:45 . 2010-03-10 21:45 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-03-04 14:25 . 2010-03-04 14:33 23109 ----a-w- c:\windows\hpqins15.dat
2010-03-04 14:14 . 2010-03-04 14:14 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-03-04 14:01 . 2010-03-04 14:25 77374 ----a-w- c:\windows\hpqins05.dat
2010-03-02 02:11 . 2010-03-02 02:11 -------- d-----w- c:\documents and settings\Mine\Application Data\FCTB000060497
1601-01-01 00:00 . 1601-01-01 00:00 0 ----a-w- c:\program files\1315234.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-14 00:00 . 2008-12-27 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2010-03-13 23:59 . 2008-09-08 00:18 -------- d-----w- c:\documents and settings\Mine\Application Data\Skype
2010-03-13 23:58 . 2008-09-08 00:19 -------- d-----w- c:\documents and settings\Mine\Application Data\skypePM
2010-03-13 23:58 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\rundll32.exe
2010-03-13 23:57 . 2010-02-05 22:31 -------- d-----w- c:\program files\iTunes
2010-03-13 23:57 . 2010-02-05 22:24 -------- d-----w- c:\program files\QuickTime
2010-03-13 23:57 . 2008-12-27 03:16 -------- d-----w- c:\program files\ATT-SST
2010-03-13 23:57 . 2007-07-08 22:46 -------- d-----w- c:\program files\Lexmark 9300 Series
2010-03-13 23:56 . 2005-12-29 18:44 -------- d-----w- c:\program files\ltmoh
2010-03-13 23:56 . 2005-12-29 18:26 -------- d-----w- c:\program files\Apoint2K
2010-03-13 23:56 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\igfxpers.exe
2010-03-13 23:56 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\hkcmd.exe
2010-03-13 23:56 . 2010-03-13 23:56 40448 ----a-w- c:\documents and settings\Mine\rundll32 .exe
2010-03-13 23:56 . 2008-08-24 22:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-03-11 00:47 . 2008-12-27 03:17 -------- d-----w- c:\documents and settings\Mine\Application Data\ATTToolbar
2010-03-10 21:45 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\igfxpers .exe
2010-03-10 21:45 . 2006-01-03 00:30 40448 ----a-w- c:\windows\system32\hkcmd .exe
2010-03-08 12:46 . 2009-12-13 21:08 63272 ---ha-w- c:\windows\system32\mlfcache.dat
2010-03-04 21:31 . 2009-06-16 16:27 -------- d-----w- c:\documents and settings\Mine\Application Data\HPAppData
2010-03-04 21:25 . 2009-04-20 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-04 14:33 . 2009-08-21 12:24 -------- d-----w- c:\documents and settings\Mine\Application Data\HpUpdate
2010-03-04 14:22 . 2006-08-17 18:28 79584 ----a-w- c:\documents and settings\Mine\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 01:52 . 2008-09-12 01:02 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-02-26 01:52 . 2008-09-12 01:02 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-02-25 16:03 . 2009-08-03 14:42 -------- d-----w- c:\program files\MyPoints Toolbar 2.0
2010-02-05 22:32 . 2006-08-27 23:00 -------- d-----w- c:\program files\iPod
2010-02-05 22:31 . 2007-07-03 16:17 -------- d-----w- c:\program files\Common Files\Apple
2010-02-01 13:16 . 2010-02-01 13:16 -------- d-----w- c:\program files\Cozi Express
2010-02-01 13:16 . 2008-12-08 01:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Cozi
2010-01-13 22:34 . 2010-01-13 22:34 934704 ----a-w- c:\windows\system32\CoziScreensaver.scr
2010-01-07 22:07 . 2008-08-24 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 22:07 . 2008-08-24 22:39 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-31 16:50 . 2005-12-29 06:28 353792 ------w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-12-29 06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-16 18:43 . 2005-12-29 17:18 343040 ------w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-12-29 06:28 33280 ------w- c:\windows\system32\csrsrv.dll
1601-01-01 00:03 . 1601-01-01 00:03 70656 --sha-w- c:\windows\system32\darekove.dll
2009-03-20 15:18 . 1601-01-01 00:12 95232 --sha-w- c:\windows\system32\fogiguzu.dll
2009-03-20 15:18 . 1601-01-01 00:12 127488 --sha-w- c:\windows\system32\gipekoji.dll
2009-03-21 22:12 . 1601-01-01 00:12 129536 --sha-w- c:\windows\system32\jisideso.dll
1601-01-01 00:03 . 1601-01-01 00:03 47616 --sha-w- c:\windows\system32\kelarozo.dll
2009-03-21 22:09 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\malaruwo.dll
2009-03-21 22:08 . 1601-01-01 00:12 128000 --sha-w- c:\windows\system32\noripipi.dll
2009-03-21 22:08 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\tefifohi.dll
2009-03-21 22:09 . 1601-01-01 00:12 129536 --sha-w- c:\windows\system32\wevejaga.dll
2009-03-21 22:12 . 1601-01-01 00:12 94720 --sha-w- c:\windows\system32\yepizidu.dll
.
Code:
<pre>
c:\program files\Adobe\acrotray .exe
c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Apoint2K\apoint .exe
c:\program files\ATT-SST\mccitrayapp .exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\applesyncnotifier .exe
c:\program files\Common Files\LogiShrd\LComMgr\communications_helper .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Google\GoogleToolbarNotifier\googletoolbarnotifier .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\Intel\Wireless\Bin\ifrmewrk .exe
c:\program files\Intel\Wireless\Bin\zcfgsvc .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\LeapFrog\LeapFrog Connect\monitor .exe
c:\program files\Lexmark 9300 Series\ezprint .exe
c:\program files\Lexmark 9300 Series\fm3032 .exe
c:\program files\Lexmark 9300 Series\lxcqmon .exe
c:\program files\Logitech\QuickCam\quickcam .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask    .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask  .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Shutterfly\Studio\Bin\sflystudio .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\SUPERAntiSpyware\rundll32 .exe
c:\program files\SUPERAntiSpyware\superantispyware .exe
c:\program files\Toshiba\E-KEY\ceekey .exe
c:\program files\Toshiba\TOSCDSPD\toscdspd .exe
c:\program files\Toshiba\TOSHIBA Applet\hwsetup .exe
c:\program files\Toshiba\TOSHIBA Zooming Utility\smoothview .exe
c:\program files\Toshiba\Touch and Launch\padexe .exe
c:\program files\Toshiba\TouchPad\tptray .exe
c:\program files\Toshiba\Tvs\tvstray .exe
c:\program files\Toshiba\Windows Utilities\svpwutil .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\hkcmd .exe
c:\windows\system32\igfxpers .exe
c:\windows\system32\DLA\dlactrlw .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{96b985b7-3cf9-456a-9db6-791710e60f5f}"= "c:\program files\MyPoints Toolbar 2.0\Helper.dll" [2010-02-25 242688]

[HKEY_CLASSES_ROOT\clsid\{96b985b7-3cf9-456a-9db6-791710e60f5f}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook.1]
[HKEY_CLASSES_ROOT\TypeLib\{9FEBEA6D-4801-4D23-97E7-A771B698E442}]
[HKEY_CLASSES_ROOT\FreeCauseURLSearchHook.FCToolbarURLSearchHook]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-02-25 1505280]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{89A2510A-B4B6-4683-BEC9-1B96700BC7F1}"= "c:\program files\MyPoints Toolbar 2.0\Toolbar.dll" [2010-02-25 1505280]

[HKEY_CLASSES_ROOT\clsid\{89a2510a-b4b6-4683-bec9-1b96700bc7f1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar.3]
[HKEY_CLASSES_ROOT\TypeLib\{061ED138-E065-4356-82AA-578F7F1EEAF1}]
[HKEY_CLASSES_ROOT\FCTB000060497.IEToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2010-03-13 40448]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 40448]
"ShutterflyStudio"="c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe" [2010-03-13 40448]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-03-13 40448]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-13 40448]
"Remote System Protection"="c:\windows\system32\fesxo1i.dll" [N/A]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"QuickTime Task"="c:\program files\quicktime\qttask .exe -atboottime" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2010-03-10 40448]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2010-03-13 40448]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2010-03-13 40448]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2010-03-13 40448]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2010-03-13 40448]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2010-03-13 40448]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2010-03-13 40448]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2010-03-13 40448]
"AGRSMMSG"="AGRSMMSG.exe" [2010-03-10 40448]
"NDSTray.exe"="NDSTray.exe" [2010-03-10 40448]
"HWSetup"="c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe" [2010-03-13 40448]
"SVPWUTIL"="c:\program files\Toshiba\Windows Utilities\SVPWUTIL.exe" [2010-03-13 40448]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2010-03-13 40448]
"CeEKEY"="c:\program files\TOSHIBA\E-KEY\CeEKey.exe" [2010-03-13 40448]
"TPSMain"="TPSMain.exe" [2010-03-10 40448]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2010-03-13 40448]
"ZoomingHook"="ZoomingHook.exe" [2010-03-10 40448]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2010-03-13 40448]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2010-03-13 40448]
"TCtryIOHook"="TCtrlIOHook.exe" [2010-03-10 40448]
"TFncKy"="TFncKy.exe" [2010-03-10 40448]
"TDispVol"="TDispVol.exe" [2010-03-10 40448]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2010-03-13 40448]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2010-03-13 40448]
"lxcqmon.exe"="c:\program files\Lexmark 9300 Series\lxcqmon.exe" [2010-03-13 40448]
"Lexmark 9300 Series Fax Server"="c:\program files\Lexmark 9300 Series\fm3032.exe" [2010-03-13 40448]
"EzPrint"="c:\program files\Lexmark 9300 Series\ezprint.exe" [2010-03-13 40448]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2010-03-13 40448]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2010-03-13 40448]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2010-03-13 40448]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2010-03-13 40448]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2010-03-13 40448]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-13 40448]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-13 40448]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-03-13 40448]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-13 40448]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2010-03-13 40448]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-13 40448]
"budinufufo"="miropubi.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-13 40448]
"Remote System Protection"="c:\windows\system32\fesxo1i.dll" [N/A]

c:\documents and settings\Mine\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-6-9 471040]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-10-16 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-9-11 66864]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-12-29 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideFastUserSwitching"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-11 18:31 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
AppSecDll REG_SZ c:\documents and settings\Mine\Local Settings\Application Data\Windows Server\mlthnj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Toshiba\\ConfigFree\\CFXFER.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Documents and Settings\\Mine\\Application Data\\Macromedia\\Flash Player\\[You must be registered and logged in to see this link.]
"c:\\WINDOWS\\system32\\lxcqcoms.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\TroubleShooter.exe"=
"c:\\Program Files\\MyPoints Toolbar 2.0\\ToolbarUpdate.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Phone\\skype .exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"427:UDP"= 427:UDP:SLP_Port(427)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [8/19/2008 10:34 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/19/2008 10:34 PM 66632]
R2 lxcq_device;lxcq_device;c:\windows\system32\lxcqcoms.exe -service --> c:\windows\system32\lxcqcoms.exe -service [?]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [3/8/2007 8:00 PM 24652]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/19/2008 10:34 PM 12872]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [3/11/2009 10:02 AM 18560]

--- Other Services/Drivers In Memory ---

*Deregistered* - nptly

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-03-13 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At25.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At26.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At27.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At28.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At29.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At30.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At31.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At32.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At33.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At34.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At35.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At36.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At37.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At38.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At39.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-14 c:\windows\Tasks\At40.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At41.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At42.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At43.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At44.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At45.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At46.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At47.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-14 c:\windows\Tasks\At48.job
- c:\program files\adobe\acrotray .exe [2010-03-14 00:00]

2010-03-13 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]

2010-03-13 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-03-13 23:58]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: 0.0.0.0
Trusted Zone: motive.com\patttbc.att
TCP: {EAB43538-6B7F-426B-BE51-A4B71FE20334} = 217.23.14.75,4.2.2.1,192.168.1.254
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Mine\Application Data\Mozilla\Firefox\Profiles\bief2zjt.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Web Search: PCH PROJECT GRADUATION 2012
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\documents and settings\All Users\Application Data\RealArcade\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPcol308.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nppopcaploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npraclient.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - plugin: c:\windows\system32\npmirage.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{4e503d72-5e35-4c59-928c-97a1ae41edd7} - zumefipo.dll
SharedTaskScheduler-{A3BA40A2-74F1-52BD-F434-00B15A2C8953} - c:\windows\system32\fesxo1i.dll
AddRemove-Boohbah Zone - c:\program files\Common Files\Polka Dot\Uninstall\BoohBahUn.exe
AddRemove-Flock - c:\program files\Flock\uninst.exe
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-03-13 17:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ShutterflyStudio = c:\program files\Shutterfly\Studio\BIN\SFlyStudio.exe /trayonly?: /RegServer??????????????????????????es\Shutterfly\Studio\BIN\mmpartner_langres.dll?AVA??????????udio Event - ?re?.????UNIQUE_GEN_LISTENER_LOCK_NAME?AM??????????????????iv??????????re????tt??fly\

scanning hidden files ...


c:\docume~1\Mine\LOCALS~1\Temp\etilqs_KmKceEBfmSn8SYU 0 bytes
c:\docume~1\Mine\LOCALS~1\Temp\etilqs_rfTGkEL8WU2f3jA 556032 bytes
c:\windows\system32\hkcmd .exe 40448 bytes executable
c:\windows\system32\igfxpers .exe 40448 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nptly]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,d0,79,d3,3b,39,a2,4d,83,1e,93,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,dc,d0,79,d3,3b,39,a2,4d,83,1e,93,\

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\* }]
"Path"="c:\\Documents and Settings\\Mine\\Application Data\\Intel\\Wireless\\"

[HKEY_LOCAL_MACHINE\software\Intel\Wireless\Folders\ U**]
"Path"="c:\\Documents and Settings\\Mine\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(11432)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
?:\windows\system32\odbcint.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\lxcqcoms.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\intel\wireless\bin\zcfgsvc .exe
c:\program files\intel\wireless\bin\ifrmewrk .exe
c:\windows\system32\dla\dlactrlw .exe
c:\program files\apoint2k\apoint .exe
c:\program files\ltmoh\ltmoh .exe
c:\program files\toshiba\tvs\tvstray .exe
c:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\toshiba\e-key\ceekey .exe
c:\program files\toshiba\touch and launch\padexe .exe
c:\program files\Apoint2K\Apntex.exe
c:\program files\toshiba\touchpad\tptray .exe
c:\program files\toshiba\toshiba zooming utility\smoothview .exe
c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy .exe
c:\program files\lexmark 9300 series\lxcqmon .exe
c:\program files\lexmark 9300 series\ezprint .exe
c:\program files\common files\logishrd\lcommgr\communications_helper .exe
c:\program files\logitech\quickcam\quickcam .exe
c:\program files\att-sst\mccitrayapp .exe
c:\program files\leapfrog\leapfrog connect\monitor .exe
c:\program files\hp\hp software update\hpwuschd2 .exe
c:\program files\common files\real\update_ob\realsched .exe
c:\program files\java\jre6\bin\jusched .exe
c:\program files\itunes\ituneshelper .exe
c:\program files\shutterfly\studio\bin\sflystudio .exe
c:\program files\toshiba\toscdspd\toscdspd .exe
c:\program files\skype\phone\skype .exe
c:\program files\superantispyware\superantispyware .exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\docume~1\Mine\LOCALS~1\Temp\ctv1627.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
c:\program files\ATTToolbar\FDServer.exe
.
**************************************************************************
.
Completion time: 2010-03-13 18:11:28 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-14 00:10

Pre-Run: 16,933,384,192 bytes free
Post-Run: 16,973,983,744 bytes free

- - End Of File - - 3FF5E8B04C04E60DDB9B0F6BAC28BE4D

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sun Mar 14, 2010 12:23 am

And I'm back on my own computer now - yay! So much easier to post logs.

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by Dr Jay on Sun Mar 14, 2010 2:54 am

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: [You must be registered and logged in to see this link.]
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sun Mar 14, 2010 3:08 pm

Well - sounds like I don't have much of a choice - I'm assuming (Hoping) it is OK to move my data and picture files onto an external hard drive before reformatting? I haven't looked at all the links yet, but will in a bit.

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by ltlfroggie on Sun Mar 14, 2010 3:44 pm

Can I use the "Files and Settings Transfer Wizard" safely?

ltlfroggie
Intermediate
Intermediate

Status :
Online
Offline

Posts : 97
Joined : 2009-11-05
OS : XP

View user profile

Back to top Go down

Re: Dr. Guard and other stuff

Post by Dr Jay on Sun Mar 14, 2010 5:58 pm

Yes, that tool will probably work.

You can safely move files, pictures, videos, etc. But, as for program files, please don't.

The tutorial that I pointed out will help:

Link 1: [You must be registered and logged in to see this link.]

Link 2: [You must be registered and logged in to see this link.]


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Status :
Online
Offline

Posts : 13707
Joined : 2009-09-06
Gender : Male
OS : Windows 10 Home & Pro

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum