tdlwsp.dll won't stay removed.

UnbidPaladin · 06-Nov-2009, 02:50 AM #1

I know there is another thread with this topic but I didn't want to impose on it. I've tried everything to remove this virus using avg,mbam in safe mode and everything. Even turning system restore off then scanning in safe mode then restarting. Here's the hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:55 AM, on 11/6/2009
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\IAM\bin\asghost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\SMINST\scheduler.exe
C:\Program Files\Intel\AMT\atchk.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\pthosttr.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Users\HP USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HP USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\HP USER\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...smb&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...smb&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...smb&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Credential Manager for HP ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Hewlett-Packard\IAM\Bin\ItIEAddIn.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: XfireXO Toolbar - {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - C:\Program Files\XfireXO\tbXfir.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [IFXSPMGT] C:\Windows\system32\ifxspmgt.exe /NotifyLogon
O4 - HKLM\..\Run: [PDF Complete] C:\Program Files\PDF Complete\pdfsty.exe
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\HP\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HEWLET~1\IAM\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [ST Recovery Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &AOL Toolbar Search - C:\ProgramData\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: APSHook.dll,avgrsstx.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel(R) Active Management Technology System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Drive Encryption Service (HpFkCryptService) - SafeBoot International - C:\Program Files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Intel(R) Active Management Technology Local Management Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: MgiSvr - ArcSoft, Inc. - C:\Program Files\ArcSoft\Magic-i 3\uMgiSvr.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Personal Secure Drive service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Intel(R) Active Management Technology User Notification Service (UNS) - Intel - C:\Program Files\Intel\AMT\UNS.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11124 bytes

Please help It keeps redirecting me to other sites and i seem to find another few trojans every other day when I haven't even been really using the internet except to go on sites like this.

NeonFx · 06-Nov-2009, 03:41 AM #2

Hello there

Welcome to the Tech Support Guy forums.
My name is NeonFx. I'll be glad to help you with your computer problems. Logs can take some time to research, so please be patient with me.

Please note the following:

The fixes are specific to your problem and should only be used on this machine.
Please continue to review my answers until I tell you your machine appears to be clean. Absence of symptoms does not necessarily mean that the system is completely clean.
It's often worth reading through these instructions and printing them for ease of reference. I may ask you to boot into Safe Mode where you will be unable to follow my instructions online.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.

Step 1

NOTE: ComboFix should NOT be used without supervision by someone trained in its use. It does a whole lot more to a system than just remove infected files.

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Disabling Security Programs
Double click on ComboFix.exe & follow the prompts.

Note: Combofix will run without the Recovery Console installed.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you please let me know. A increasing number of infections are spreading using Autoplay and leaving it disabled is a good idea.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please attach the log in your next post. To do so click on the blue "Reply" button or "Go Advanced" and click on the "Manage Attachments" button

To ensure that I get all the information this log will need to be attached. If it is too large to attach then upload it to Dropio and post the sharing link/url (The Drop's URL will be similar to : http:://drop.io/daerk)

UnbidPaladin · 05:39 AM

After following the guide to disabling anti-virus software combofix still detects my avg antivirus and antispyware to be active. How can I turn them off?
*Also im using AVG 9.0*

NeonFx · 06-Nov-2009, 10:17 AM #4

That happens sometimes. It can't tell if a program is disabled or not. Go ahead and disregard the warning if you know you've disabled the program.

UnbidPaladin · 02:14 AM

ComboFix 09-11-06.03 - HP USER 11/06/2009 23:56.1.2 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.3036.1880 [GMT -6:00]
Running from: c:\users\HP USER\Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1503544569-3812183600-905112783-1001

.
((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-07 06:04 . 2009-11-07 06:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-03 08:30 . 2009-10-16 17:12 1119488 ----a-w- c:\programdata\AVG Security Toolbar\IEToolbar.dll
2009-10-30 05:56 . 2009-10-30 05:34 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 05:34 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-10-30 05:34 . 2009-10-30 05:34 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-10-30 05:34 . 2009-10-30 05:34 93360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\SBREDrv.sys
2009-10-30 05:34 . 2009-10-30 05:34 862040 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-10-30 05:34 . 2009-10-30 05:34 554280 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\sbap.dll
2009-10-30 05:34 . 2009-10-30 05:34 390288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-10-30 05:34 . 2009-10-30 05:34 206944 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-10-30 05:34 . 2009-10-30 05:34 15880 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-10-30 05:32 . 2009-10-30 05:34 -------- d-----w- c:\programdata\Lavasoft
2009-10-30 05:32 . 2009-10-30 05:32 -------- d-----w- c:\program files\Lavasoft
2009-10-29 04:43 . 2009-10-29 04:43 -------- d-----w- c:\users\HP USER\AppData\Local\AVG Security Toolbar
2009-10-29 04:42 . 2009-10-29 04:46 -------- d-----w- C:\$AVG
2009-10-29 04:42 . 2009-11-03 08:30 4096 d-----w- c:\programdata\AVG Security Toolbar
2009-10-29 04:41 . 2009-11-06 21:38 4096 d-----w- c:\programdata\avg9
2009-10-28 15:17 . 2009-09-10 14:58 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 15:17 . 2009-09-10 14:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-28 15:12 . 2009-10-28 15:12 471664 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbF152.tmp.exe
2009-10-28 01:45 . 2009-10-28 01:45 -------- d-----w- c:\program files\Microsoft
2009-10-27 19:40 . 2009-10-27 19:40 2829 ----a-w- c:\windows\W2BNEUnin.pif
2009-10-27 19:40 . 2009-10-27 19:40 20298 ----a-w- c:\windows\W2BNEUnin.dat
2009-10-27 19:40 . 2009-10-27 19:40 98304 ----a-w- c:\windows\W2BNEUnin.exe
2009-10-27 18:58 . 2009-10-27 18:58 -------- d-----w- c:\windows\system32\Adobe
2009-10-27 04:30 . 2009-10-27 04:30 -------- d-----w- c:\program files\Conduit
2009-10-27 04:30 . 2009-10-27 04:30 4096 d-----w- c:\program files\XfireXO
2009-10-27 04:30 . 2009-10-06 22:10 52224 ------w- c:\users\HP USER\AppData\Roaming\Mozilla\Firefox\Profiles\dtfhhoox.default\extensions\{ 5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
2009-10-27 04:30 . 2009-10-06 22:10 114688 ------w- c:\users\HP USER\AppData\Roaming\Mozilla\Firefox\Profiles\dtfhhoox.default\extensions\{ 5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\npmozax.dll
2009-10-27 04:30 . 2009-10-27 06:55 -------- d-----w- c:\users\HP USER\AppData\Roaming\Xfire
2009-10-27 04:30 . 2009-10-27 22:59 4096 d-----w- c:\programdata\Xfire
2009-10-23 07:38 . 2009-10-23 07:38 -------- d-----w- c:\users\HP USER\AppData\Local\Microsoft Corporation
2009-10-23 07:37 . 2009-10-23 07:37 4096 d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-22 21:06 . 2009-10-22 21:06 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-10-22 21:06 . 2009-10-22 21:06 -------- d-----w- c:\windows\system32\xlive
2009-10-22 21:06 . 2008-07-31 15:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
2009-10-22 21:06 . 2008-07-31 15:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
2009-10-22 21:06 . 2008-07-31 15:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
2009-10-22 21:06 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
2009-10-22 21:06 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
2009-10-22 21:06 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
2009-10-22 19:42 . 2009-10-22 19:42 4096 d-----w- c:\users\HP USER\AppData\Roaming\SystemRequirementsLab
2009-10-22 19:42 . 2009-10-22 19:42 138240 ----a-w- c:\users\HP USER\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_d.dll
2009-10-22 19:42 . 2009-10-22 19:42 138240 ----a-w- c:\users\HP USER\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_c.dll
2009-10-22 19:42 . 2009-10-22 19:42 138240 ----a-w- c:\users\HP USER\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_b.dll
2009-10-22 19:42 . 2009-10-22 19:42 138240 ----a-w- c:\users\HP USER\AppData\Roaming\SystemRequirementsLab\SRLProxy_srl_4_1_14_0_a.dll
2009-10-22 04:59 . 2009-10-29 05:17 -------- d-----w- c:\programdata\nahiyuku
2009-10-22 04:59 . 2009-10-29 05:17 -------- d-----w- c:\programdata\haferabo
2009-10-22 04:59 . 2009-10-29 05:17 -------- d-----w- c:\programdata\gafuhelu
2009-10-21 16:38 . 2009-10-21 16:39 4096 d-----w- c:\program files\Common Files\DivX Shared
2009-10-21 16:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\zahoguvi
2009-10-21 16:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\pulagawi
2009-10-21 16:27 . 2009-10-22 06:14 -------- d-----w- c:\programdata\jijoseyi
2009-10-21 16:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\kadehiva
2009-10-21 16:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\lohuwije
2009-10-21 16:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\jeyawipi
2009-10-21 16:27 . 2009-10-22 21:46 -------- d-----w- c:\programdata\wukunusi
2009-10-21 04:27 . 2009-10-22 21:46 -------- d-----w- c:\programdata\jekehafe
2009-10-21 04:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\vohodoru
2009-10-21 04:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\ratanofi
2009-10-21 04:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\gipebefu
2009-10-21 04:27 . 2009-10-29 05:17 -------- d-----w- c:\programdata\bogopani
2009-10-21 04:27 . 2009-10-21 04:30 -------- d-----w- c:\programdata\yuzogovu
2009-10-21 04:21 . 2009-10-29 05:17 -------- d-----w- c:\programdata\yaluhitu
2009-10-21 04:21 . 2009-10-29 05:17 -------- d-----w- c:\programdata\kirufido
2009-10-21 04:21 . 2009-10-29 05:17 -------- d-----w- c:\programdata\fapolavu
2009-10-15 00:01 . 2009-10-15 00:01 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-10-13 17:15 . 2009-10-13 17:16 -------- d-----w- c:\windows\system32\ca-ES
2009-10-13 17:15 . 2009-10-13 17:16 -------- d-----w- c:\windows\system32\eu-ES
2009-10-13 17:15 . 2009-10-13 17:16 -------- d-----w- c:\windows\system32\vi-VN
2009-10-13 17:05 . 2009-10-13 17:05 4096 d-----w- c:\windows\system32\EventProviders
2009-10-11 06:54 . 2009-10-11 06:54 4096 d-----w- c:\program files\Windows Live Safety Center

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-07 05:50 . 2009-11-06 21:43 22016 ----a-w- c:\windows\system32\tdlwsp.dll
2009-11-07 05:49 . 2006-11-02 10:33 595446 ----a-w- c:\windows\system32\perfh009.dat
2009-11-07 05:49 . 2006-11-02 10:33 101144 ----a-w- c:\windows\system32\perfc009.dat
2009-11-07 05:45 . 2006-11-02 12:56 67584 --s-a-w- c:\windows\bootstat.dat
2009-11-06 06:43 . 2009-11-06 06:43 -------- d-----w- c:\program files\Trend Micro
2009-11-06 04:07 . 2009-09-10 23:04 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 05:15 . 2008-07-23 23:55 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-11-03 05:16 . 2009-05-29 01:06 -------- d-----w- c:\program files\Common Files\Steam
2009-10-30 05:34 . 2009-10-30 05:33 537576 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\aawapi.dll
2009-10-29 04:42 . 2009-02-01 19:56 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-29 04:42 . 2008-12-20 20:10 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-29 04:42 . 2008-12-20 20:10 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-29 04:42 . 2008-12-20 20:10 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-29 04:41 . 2008-12-20 20:10 -------- d-----w- c:\program files\AVG
2009-10-29 04:41 . 2006-11-02 11:18 4096 d-----w- c:\program files\Common Files\microsoft shared
2009-10-27 19:22 . 2008-12-21 06:32 4096 d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-10-24 06:18 . 2009-06-10 02:55 -------- d-----w- c:\users\HP USER\AppData\Roaming\DivX
2009-10-22 21:29 . 2009-03-14 23:16 -------- d-----w- c:\programdata\Media Center Programs
2009-10-22 19:42 . 2008-12-20 20:13 4096 d-----w- c:\program files\SystemRequirementsLab
2009-10-21 16:39 . 2009-03-11 07:50 8192 d-----w- c:\program files\DivX
2009-10-19 22:31 . 2009-05-26 03:00 2380538 ----a-w- c:\programdata\ArcSoft\Global Deploy\CheckUpdate\ArcConnect.exe
2009-10-14 16:36 . 2006-11-02 11:18 4096 d-----w- c:\program files\Windows Mail
2009-10-13 17:16 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-10-13 17:16 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Sidebar
2009-10-13 17:16 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Journal
2009-10-13 17:16 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Collaboration
2009-10-13 17:16 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Photo Gallery
2009-10-13 17:16 . 2006-11-02 11:18 4096 d-----w- c:\program files\Common Files\System
2009-10-13 17:16 . 2006-11-02 12:37 4096 d-----w- c:\program files\Windows Defender
2009-10-13 17:15 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-10-03 08:15 . 2009-10-30 05:33 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-10-01 15:29 . 2009-10-02 20:35 195440 ----a-w- c:\windows\system32\MpSigStub.exe
2009-09-29 18:49 . 2009-01-21 05:00 4096 d-----w- c:\users\HP USER\AppData\Roaming\Apple Computer
2009-09-29 18:41 . 2009-09-29 18:40 4096 d-----w- c:\program files\iTunes
2009-09-29 18:41 . 2009-09-29 18:40 -------- d-----w- c:\programdata\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-29 18:40 . 2009-09-29 18:40 -------- d-----w- c:\program files\iPod
2009-09-29 18:40 . 2009-01-21 04:57 -------- d-----w- c:\program files\Common Files\Apple
2009-09-29 18:39 . 2009-09-29 18:39 4096 d-----w- c:\program files\QuickTime
2009-09-29 18:35 . 2009-09-29 18:35 79144 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-09-14 09:29 . 2009-10-13 22:17 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 23:05 . 2009-09-10 23:04 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-10 22:04 . 2009-09-10 22:03 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 22:04 . 2009-09-10 22:04 4045528 ----a-w- c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-09-10 22:03 . 2009-09-10 22:03 -------- d-----w- c:\users\HP USER\AppData\Roaming\Malwarebytes
2009-09-10 22:03 . 2009-09-10 22:03 -------- d-----w- c:\programdata\Malwarebytes
2009-09-10 19:54 . 2009-09-10 22:03 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-09-10 22:03 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 16:48 . 2009-10-13 22:17 218624 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 08:08 . 2009-05-29 00:51 4096 d-----w- c:\program files\Microsoft Silverlight
2009-09-04 11:41 . 2009-10-13 22:17 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 00:42 . 2009-08-29 00:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 00:42 . 2009-08-29 00:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:27 . 2009-09-02 22:14 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 22:14 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-27 05:22 . 2009-10-13 22:17 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-13 22:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-13 22:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-13 22:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-14 22:04 . 2009-08-14 22:04 239088 ----a-w- c:\users\HP USER\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2009-08-14 16:27 . 2009-09-09 16:49 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 16:49 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 16:49 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 16:49 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 16:49 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 16:49 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 16:49 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 16:49 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 16:49 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 16:49 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 16:49 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-07-23 23:45 . 2008-07-23 23:45 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-10-01 2166296]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-10-01 22:29 2166296 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-10-16 17:12 1119488 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-10-01 2166296]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-10-16 1119488]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
"Steam"="g:\program files\steam\steam.exe" [2009-10-24 1217808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-04 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-04 154136]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-04 129560]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-06-07 408344]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"IFXSPMGT"="c:\windows\system32\ifxspmgt.exe" [2007-05-23 677408]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2008-04-07 318488]
"SetRefresh"="c:\program files\HP\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll" [2003-12-22 17920]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-07-10 1282048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"ST Recovery Launcher"="c:\windows\SMINST\launcher.exe" [2008-02-22 44168]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ SbHpNp scecli ASWLNPkg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavaso ft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDef end]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^GamersFirst LIVE!.lnk.disabled]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\GamersFirst LIVE!.lnk.disabled
backup=c:\windows\pss\GamersFirst LIVE!.lnk.disabled.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Button Manager.lnk.disabled]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Button Manager.lnk.disabled
backup=c:\windows\pss\HP Button Manager.lnk.disabled.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Magic-i.lnk.disabled]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Magic-i.lnk.disabled
backup=c:\windows\pss\Magic-i.lnk.disabled.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ArcSoft Connection Service"=c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):4c,28,31,66,29,4c,ca,01

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [10/29/2009 11:34 PM 64288]
R0 SbAlg;SbAlg;c:\windows\System32\drivers\SbAlg.sys [10/9/2006 2:31 PM 44720]
R0 SbFsLock;SbFsLock;c:\windows\System32\drivers\SbFsLock.sys [6/14/2007 5:22 PM 13184]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [12/20/2008 2:10 PM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/1/2009 1:56 PM 360584]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\System32\drivers\psd.sys [4/18/2007 8:32 PM 39080]
R1 RsvLock;RsvLock;c:\windows\System32\drivers\rsvlock.sys [6/13/2007 6:53 PM 5808]
R2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe -k Cognizance [1/20/2008 8:24 PM 21504]
R2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k Cognizance [1/20/2008 8:24 PM 21504]
R2 HpFkCryptService;Drive Encryption Service;c:\program files\Hewlett-Packard\Drive Encryption\HpFkCrypt.exe [7/9/2007 6:03 PM 221184]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [7/23/2008 6:04 PM 576024]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [9/10/2009 5:04 PM 1153368]
R2 UNS;Intel(R) Active Management Technology User Notification Service;c:\program files\Intel\AMT\UNS.exe [7/23/2008 5:56 PM 2521880]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [12/20/2008 3:38 PM 24652]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [1/20/2008 8:23 PM 179712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [9/24/2009 5:17 AM 1179232]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\System32\drivers\mbamswissarmy.sys [9/10/2009 4:03 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [10/28/2009 10:42 PM 906520]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [10/28/2009 10:41 PM 285392]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
Cognizance REG_MULTI_SZ ASBroker ASChannel
.
Contents of the 'Scheduled Tasks' folder

2009-11-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 05:33]

2009-11-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1503544569-3812183600-905112783-1000Core.job
- c:\users\HP USER\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-28 03:28]

2009-11-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1503544569-3812183600-905112783-1000UA.job
- c:\users\HP USER\AppData\Local\Google\Update\GoogleUpdate.exe [2009-05-28 03:28]

2009-11-07 c:\windows\Tasks\User_Feed_Synchronization-{44556781-AB48-456F-BC51-53CEDBC5342F}.job
- c:\windows\system32\msfeedssync.exe [2009-10-13 03:41]

2009-11-07 c:\windows\Tasks\User_Feed_Synchronization-{58FA0DAC-DC1B-4526-9344-BDB6BF7FB50C}.job
- c:\windows\system32\msfeedssync.exe [2009-10-13 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=74&bd=smb&pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar Search - c:\programdata\AOL\ieToolbar\resources\en-US\local\search.html
FF - ProfilePath - c:\users\HP USER\AppData\Roaming\Mozilla\Firefox\Profiles\dtfhhoox.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils 35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\HP USER\AppData\Roaming\Mozilla\Firefox\Profiles\dtfhhoox.default\extensions\{ 5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\HP USER\AppData\Local\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\users\HP USER\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
.
------- File Associations -------
.
regedit=regedit.exe "%1"
.
- - - - ORPHANS REMOVED - - - -

AddRemove-EADM - c:\program files\Electronic Arts\EADM\Uninstall.exe
AddRemove-GamersFirst LIVE! - g:\program files\GamersFirst\LIVE!\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-07 00:04
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll atapi.sys >>UNKNOWN [0x86532F61]<<
kernel: MBR read successfully
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msiserver]
"ImagePath"="%systemroot%\system32\msiexec /V"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1503544569-3812183600-905112783-1000\Software\SecuROM\License information*]
"datasecu"=hex:08,92,b8,26,7d,c3,b7,c1,93,e1,04,b8,39,8e,ae,9c,6b,5d,a0,78, 53,
b7,cc,ae,df,6f,de,d0,7a,3f,ff,cf,b5,11,e9,f9,1b,d0,b7,f4,ea,75,0c,f7,f5,4e, \
"rkeysecu"=hex:64,b6,bd,e1,3e,80,9e,c4,40,b4,90,83,87,8e,33,49

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\APSHook.dll

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\APSHook.dll
c:\windows\SbHpNp.dll
c:\program files\Hewlett-Packard\IAM\bin\ASWLNPkg.dll
c:\program files\Hewlett-Packard\IAM\bin\ItMsg.dll
.
Completion time: 2009-11-07 0:07
ComboFix-quarantined-files.txt 2009-11-07 06:07

Pre-Run: 37,773,987,840 bytes free
Post-Run: 37,725,511,680 bytes free

- - End Of File - - 3107868F3A9AD379E4BABB9388038513

It also told me when it was starting that a parasite was found and to write it down for later it said C:\windows\system32\APSHook.dll was trying to attach itself to combofix.

NeonFx · 07-Nov-2009, 02:26 AM #6

ComboFix didn't do what I hoped it would. I'll have to fix this manually.

Let's do the following because I need some more information:

Download OTS to your Desktop

Close ALL OTHER PROGRAMS.
Double-click on OTS.exe to start the program.
Check the box that says Scan All Users
Under Additional Scans check the following:
- Reg - Desktop Components
- Reg - Disabled MS Config Items
- Reg - NetSvcs
- Reg - Shell Spawning
- Reg - Uninstall List
- File - Lop Check
- File - Purity Scan
- Evnt - EvtViewer (last 10)
Then under the Custom Scans box at the bottom, copy and paste the following:

Code:

%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys  /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

To ensure that I get all the information this log will need to be attached. Please attach it to your next reply.

UnbidPaladin · 07-Nov-2009, 04:51 AM #7

Ok here it is hope it helps

NeonFx · 07-Nov-2009, 02:59 PM #8

Alright. Let's try the following now:

1. Close any open open programs before running the fix.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open Notepad (Start > Programs > Accessories) and copy/paste the text in the codebox below into it:

Code:

File::
c:\windows\system32\tdlwsp.dll

Folder::
c:\programdata\nahiyuku
c:\programdata\haferabo
c:\programdata\gafuhelu
c:\programdata\zahoguvi
c:\programdata\pulagawi
c:\programdata\jijoseyi
c:\programdata\kadehiva
c:\programdata\lohuwije
c:\programdata\jeyawipi
c:\programdata\wukunusi
c:\programdata\jekehafe
c:\programdata\vohodoru
c:\programdata\ratanofi
c:\programdata\gipebefu
c:\programdata\bogopani
c:\programdata\yuzogovu
c:\programdata\yaluhitu
c:\programdata\kirufido
c:\programdata\fapolavu

FCopy::
C:\WINDOWS\ERDNT\cache\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

KillAll::

MBR::

NOTE: Make sure WordWrap is unchecked in Notepad by clicking on the "Format" menu icon.

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

UnbidPaladin · 07-Nov-2009, 10:06 PM #9

Ok here it is

NeonFx · 07-Nov-2009, 10:10 PM **#10**

Looks like we're going to need a bigger hammer. Please do the following:

STEP 1

1. Please download The Avenger by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Files to move:
C:\WINDOWS\ERDNT\cache\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt

5. Please copy/paste the content of c:\avenger.txt into your reply.

STEP 2

Run OTS.exe and under the Custom Scans section on the bottom paste the following:

%SYSTEMDRIVE%\atapi.sys /s /md5

Then click on the Quick Scan button at the top. Attach the results of this scan to your next reply.

UnbidPaladin · 07-Nov-2009, 10:39 PM **#11**

This doesn't seem good :\

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: could not move file "C:\WINDOWS\ERDNT\cache\atapi.sys"
File move operation "C:\WINDOWS\ERDNT\cache\atapi.sys|C:\WINDOWS\System32\drivers\atapi.sys " failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

Completed script processing.

*******************

Finished! Terminate.

UnbidPaladin · 07-Nov-2009, 10:45 PM **#12**

Here's the OTS log.

NeonFx · 07-Nov-2009, 10:46 PM **#13**

Let's try one more time with a different source:

Use this script in Avenger instead:

Code:

Files to move:
C:\WINDOWS\System32\DriverStore\FileRepository\mshdc.inf_cc18792d\atapi.sys | C:\WINDOWS\System32\drivers\atapi.sys

UnbidPaladin · 07-Nov-2009, 10:55 PM **#14**

Ok so I did it with the new script no log popped up this time but two desktop.ini files appeared on my desktop.

NeonFx · 07-Nov-2009, 11:01 PM **#15**

The log is saved at C:\Avenger.txt please attach it if you see it there.

Could you also run OTS again for me with the same custom scan?

%SYSTEMDRIVE%\atapi.sys /s /md5

Click on the Quick Scan button and attach the results

Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!