priapus

Hi, in the folder I use to download stuff into I found a folder with the name:

keygen - it was hidden inside a valid looking folder: "[2009][Extension] The XXXXX" - when I looked inside the folder, it said that it was empty.

When I try to delete, it says 'cannot delete'.

I frequently run a2, spybot, lavasoft and avg...none of which find the folder. However, it looks dodgy and it's odd that I can't delete it at all.

Anyway, I've attached the required scans and hopefully someone cleverer than me can sort it out. Thx for the help.

Here's the DDS log:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Jacob Kane at 11:56:54.10 on 20/08/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1246 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\RSSoft\RedSwoosh.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RTDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\program files\a-squared free\a2service.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Jacob Kane\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
uWindow Title = Internet Explorer Provided By Sky Broadband
mDefault_Page_URL = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mSearch Page =
mStart Page = hxxp://uk.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Freecorder Toolbar: {1392b8d2-5c05-419f-a8f6-b9f15a596612} - c:\program files\freecorder\tbFre1.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [lycosInside] c:\program files\outlook express\lycos\Lyc_SysTray.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [Red Swoosh] c:\program files\rssoft\RedSwoosh.exe /S
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [RTDCPL] RTDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe"
mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\jacobk~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
Trusted Zone: live.com\safety
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.safety.live.com/resource/download/scanner/wlscbase969.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147951983515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181736993109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {301BFBB0-15FE-4BA7-A1B7-1074B623CDF5} = 90.207.238.97,90.207.238.99
TCP: {AC23B537-CF21-47EE-A8B3-4608E71D1962} = 90.207.238.97,90.207.238.99
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jacobk~1\applic~1\mozilla\firefox\profiles\txye72e8.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|http://www.metoffice.gov.uk/weather/....youtube.com/| http://www.google.co.uk/
FF - component: c:\documents and settings\jacob kane\application data\mozilla\firefox\profiles\txye72e8.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\jacob kane\application data\mozilla\firefox\profiles\txye72e8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-5-7 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-12 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-12 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-12 108552]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2007-6-10 1864824]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 297752]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite xii.sp2c\RpcAgentSrv.exe [2008-8-6 98488]
R3 StkMini;AVerTV USB 2.0 Plus Video Capture;c:\windows\system32\drivers\StkMini.sys [2005-2-15 185792]
S2 gupdate1c9ef3e36f44ee2;Google Update Service (gupdate1c9ef3e36f44ee2);c:\program files\google\update\GoogleUpdate.exe [2009-6-17 133104]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]

=============== Created Last 30 ================

2009-08-19 14:17 <DIR> --d----- c:\docume~1\jacobk~1\applic~1\AVS4YOU
2009-08-19 14:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-08-19 14:16 <DIR> --d----- c:\program files\common files\AVSMedia
2009-08-19 14:16 <DIR> --d----- c:\program files\AVS4YOU
2009-08-07 23:15 <DIR> --d----- C:\Rustbfix
2009-08-01 16:10 <DIR> --d----- c:\program files\Veetle
2009-07-28 19:44 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE

==================== Find3M ====================

2009-08-16 09:18 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 09:18 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-09 21:59 5,852 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-18 17:05 3,069,440 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-18 17:05 1,509,888 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-06-26 17:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 17:50 666,624 -------- c:\windows\system32\dllcache\wininet.dll
2009-06-26 17:50 620,032 -------- c:\windows\system32\dllcache\urlmon.dll
2009-06-26 17:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-26 17:50 81,920 -------- c:\windows\system32\dllcache\ieencode.dll
2009-06-17 12:24 499,712 a------- c:\windows\system32\msvcp71.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-28 00:34 15,688 a------- c:\windows\system32\lsdelete.exe
2009-05-24 14:32 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-04-01 16:20 2,516 a--sh--- c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-04-01 16:19 88 ---shr-- c:\docume~1\alluse~1\applic~1\E3B38BD04F.sys
2009-03-07 13:30 22,328 a------- c:\docume~1\jacobk~1\applic~1\PnkBstrK.sys
2009-02-25 16:25 1,024 a------- c:\docume~1\alluse~1\applic~1\1pdfspl.dll
2006-08-19 20:13 186 a--shr-- c:\windows\Regbak.dat
2006-05-14 16:56 88 ---shr-- c:\windows\system32\5CDEC84848.sys
2006-10-16 16:19 8 ---shr-- c:\windows\system32\E3B38BD04F.sys

============= FINISH: 11:57:22.69 ===============

Attached Files

	ark.zip (395 Bytes, 1 views)
	Attach.zip (4.0 KB, 2 views)

priapus

Hi, is there any reason why no one has replied to this thread. Did I do something wrong? If I did, I'd like to know what...

On the other hand, if the reason is simply because no one can be bothered to reply, then just say so and I'll go on my merry way. Thx.

sjb007

Howdy there and welcome to TSF Forums

Thank you for your patience.

You have not done anything wrong. TSF is a very busy forum and we do our best to answer all logs posted.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Vista users please make sure you all run commands with administrator rights (right click icon - run as administrator)

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial posting then the thread will be closed.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

priapus

OK, I ran the combo fix. I don't think it's found anything. On the one hand, that's good but also a bit odd that folder "[2009][Extension] The XXXXX" is still present. Any ideas? Thx.

priapus

Sorry, forgot to affix the combofix report

Attached Files

ComboFix.txt (18.7 KB, 1 views)

sjb007

Hi there

Regarding the folder you mention, do you have the full folder location?

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Please note that this may take some time to complete

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

NB - Please post any further logs directly into your reply rather than as attachments as this makes it easier for analysis -Thanks

priapus

OK, I did the first part and it said deleted successfully, press any key to continue.

sjb007

Thats great

I will await the results of the Kaspersky scan before issuing further instructions

priapus

I can't get this kaspersky thing to work - it keeps saying the key has expired.

Also, as to the location of the folder in question, it's in the download folder I use to download academic journals.

sjb007

Lets try a different scanner instead....

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please post the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

Regarding the folder, I need to know the full folder path ie: C:\Documents and Settings\Owner\Downloads

priapus

OK, got that scanning - I don't know how long it will take. Like I said earlier though, I frequently update and run a2, spybot, adaware and avg. So that should help you to discount possibilities. Thx btw for the support.

priapus

Hi again, here are the results of that scan. Again it doesn't appear to have found what I was looking for.

In emule, when you do a search for anything, there will automatically appear some results in the search list, which are obviously not the results that one are looking for - in fact they're probably viruses of some sort. Anyway, I think I may have accidentally downloaded one of those files and opened it and that's the reason for the fact that that folder is there. Oddly, however, as I stated before, there's nothing inside the folder that I can see??

Attached Files

ActiveScan.zip (715 Bytes, 2 views)

priapus

I also just changed the folder attributes to hidden - thinking that there might be a hidden file somewhere - now, the folder icon has disappeared, and the icon for undetermined file took its place - then, I deleted it and now it's completely gone??? Is that it?

priapus

***! Now, it's reappeared again - something is causing it to reinstall - sounds like a hotkey function that hasn't been detected by any of the software yet.

priapus

Hi, anything from that last scan? Thx.

sjb007

Hi there

Regarding this folder, can you take a screen shot of it at all

Just one item showing in the last scan.

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Please copy and paste the results directly into your reply rather than add as attachment as this makes it easier for analysis.

priapus

Hi, I will follow this up very soon - please, don't delete the post. Thx.

priapus

Pics of problematic folder attached.

Attached Images

	extension.jpg (580.8 KB, 8 views)
	keygen.jpg (145.7 KB, 5 views)

priapus

ComboFix 09-08-25.05 - Jacob Kane 01/09/2009 20:12.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2045.1091 [GMT 1:00]
Running from: c:\documents and settings\Jacob Kane\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jacob Kane\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2009-08-01 to 2009-09-01 )))))))))))))))))))))))))))))))
.

2009-09-01 11:01 . 2009-09-01 11:01 62 ---ha-w- C:\aaw7boot.cmd
2009-08-26 17:32 . 2008-06-19 16:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-08-26 17:32 . 2009-08-26 17:32 -------- d-----w- c:\program files\Panda Security
2009-08-26 17:20 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-19 13:17 . 2009-08-19 13:17 -------- d-----w- c:\documents and settings\Jacob Kane\Application Data\AVS4YOU
2009-08-19 13:17 . 2009-08-19 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-08-19 13:16 . 2009-08-19 13:26 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-08-19 13:16 . 2009-08-19 13:26 -------- d-----w- c:\program files\AVS4YOU
2009-08-07 22:15 . 2009-08-07 22:15 -------- d-----w- C:\Rustbfix
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 21:41 . 2009-08-04 21:41 152576 ----a-w- c:\documents and settings\Jacob Kane\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-03 13:39 . 2009-08-03 13:39 2095 ----a-w- c:\documents and settings\Jacob Kane\Application Data\.purple\certificates\x509\tls_peers\login.live.com

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 19:18 . 2008-05-01 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-01 19:06 . 2009-01-14 13:08 -------- d-----w- c:\documents and settings\Jacob Kane\Application Data\.purple
2009-09-01 02:16 . 2006-08-06 00:22 -------- d-----w- c:\program files\a-squared Free
2009-08-31 22:06 . 2009-07-30 13:16 -------- d-----w- c:\documents and settings\Jacob Kane\Application Data\vlc
2009-08-31 20:27 . 2006-08-23 09:58 -------- d-----w- c:\program files\RSSoft
2009-08-26 20:38 . 2006-05-15 14:56 -------- d-----w- c:\program files\YahELite
2009-08-23 14:58 . 2009-06-27 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-08-16 08:18 . 2008-05-12 19:42 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-16 08:18 . 2008-05-12 19:42 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-16 08:18 . 2008-05-12 19:42 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-13 20:32 . 2006-06-23 14:12 -------- d-----w- c:\program files\EggTimerPlus
2009-08-09 20:59 . 2006-07-07 10:19 5852 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-08-09 20:59 . 2006-05-21 21:05 56 --sh--r- c:\windows\system32\4FD08BB3E3.sys
2009-08-05 15:33 . 2007-10-10 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 21:39 . 2007-03-09 02:04 -------- d-----w- c:\documents and settings\Jacob Kane\Application Data\dvdcss
2009-08-01 15:10 . 2009-08-01 15:10 -------- d-----w- c:\program files\Veetle
2009-08-01 10:55 . 2006-05-13 13:39 -------- d-----w- c:\documents and settings\Jacob Kane\Application Data\AdobeUM
2009-08-01 10:53 . 2008-04-29 15:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 08:03 . 2008-04-24 17:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-28 18:44 . 2009-07-28 18:44 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2009-07-24 22:50 . 2009-04-16 15:35 13559 ----a-w- c:\documents and settings\All Users\Application Data\xmlC9.tmp
2009-07-24 22:50 . 2009-04-08 11:56 2311 ----a-w- c:\documents and settings\All Users\Application Data\xml43D.tmp
2009-07-24 22:50 . 2008-08-06 12:24 8858 ----a-w- c:\documents and settings\All Users\Application Data\xml25.tmp
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 11:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 15:19 . 2009-06-18 09:02 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\savapibridge.dll
2009-07-06 15:18 . 2009-06-18 09:02 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Resources.dll
2009-07-06 15:15 . 2009-06-18 09:02 2353480 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\Ad-Aware.exe
2009-06-26 16:50 . 2004-08-10 11:51 666624 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:50 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-24 16:00 . 2009-06-24 16:00 1089 ----a-w- c:\documents and settings\Jacob Kane\Application Data\.purple\certificates\x509\tls_peers\login.yahoo.com
2009-06-24 16:00 . 2009-06-24 16:00 2141 ----a-w- c:\documents and settings\Jacob Kane\Application Data\.purple\certificates\x509\tls_peers\omega.contacts.msn.com
2009-06-17 21:45 . 2006-05-14 15:56 48888 ----a-w- c:\documents and settings\Jacob Kane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-17 11:24 . 2003-03-18 19:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-06-16 14:36 . 2004-08-10 11:51 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-10 11:51 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-14 15:07 . 2009-06-29 12:49 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-06-12 12:31 . 2004-08-10 11:51 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 10:51 . 2009-06-11 10:51 152576 ----a-w- c:\documents and settings\Jacob Kane\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 14:13 . 2004-08-10 11:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2004-08-10 12:01 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-10 11:51 132096 ----a-w- c:\windows\system32\wkssvc.dll
2006-08-19 19:13 . 2006-08-19 19:13 186 --sha-r- c:\windows\Regbak.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-08-26_15.04.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-27 02:13 . 2009-08-27 02:13 16384 c:\windows\Temp\Perflib_Perfdata_2a0.dat
+ 2007-01-29 08:58 . 2009-07-14 11:03 46080 c:\windows\system32\tzchange.exe
+ 2006-05-18 11:34 . 2007-07-27 09:41 26488 c:\windows\system32\spupdsvc.exe
- 2006-05-18 11:34 . 2007-11-30 11:18 26488 c:\windows\system32\spupdsvc.exe
+ 2007-04-23 12:04 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-04-23 12:04 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2009-06-12 12:31 . 2009-06-12 12:31 76288 c:\windows\system32\dllcache\telnet.exe
+ 2009-06-10 14:13 . 2009-06-10 14:13 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-07-17 19:01 . 2009-07-17 19:01 58880 c:\windows\system32\dllcache\atl.dll
+ 2004-08-10 11:51 . 2009-07-13 22:43 286208 c:\windows\system32\dllcache\wmpdxm.dll
+ 2009-06-10 06:14 . 2009-06-10 06:14 132096 c:\windows\system32\dllcache\wkssvc.dll
+ 2009-08-27 07:57 . 2009-08-27 07:57 237568 c:\windows\ERDNT\AutoBackup\27-08-2009\Users\00000002\UsrClass.dat
+ 2009-08-27 07:57 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\27-08-2009\ERDNT.EXE
+ 2009-08-26 17:18 . 2009-08-26 17:18 237568 c:\windows\ERDNT\AutoBackup\26-08-2009\Users\00000002\UsrClass.dat
+ 2009-08-26 17:18 . 2005-10-20 11:02 163328 c:\windows\ERDNT\AutoBackup\26-08-2009\ERDNT.EXE
+ 2009-06-10 08:19 . 2009-06-10 08:19 2066432 c:\windows\system32\dllcache\mstscax.dll
+ 2009-08-27 07:57 . 2009-08-27 07:57 9170944 c:\windows\ERDNT\AutoBackup\27-08-2009\Users\00000001\ntuser.dat
+ 2009-08-26 17:18 . 2009-08-26 17:18 9154560 c:\windows\ERDNT\AutoBackup\26-08-2009\Users\00000001\ntuser.dat
+ 2004-08-10 11:51 . 2009-07-13 22:43 10841088 c:\windows\system32\wmp.dll
+ 2006-05-18 11:41 . 2009-07-30 00:49 24281536 c:\windows\system32\MRT.exe
+ 2004-08-10 11:51 . 2009-07-13 22:43 10841088 c:\windows\system32\dllcache\wmp.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-07-08 1569304]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]
2008-07-08 20:34 1569304 ----a-w- c:\program files\Freecorder\tbFre1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-07-24 08:55 1090816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1392b8d2-5c05-419f-a8f6-b9f15a596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-07-08 1569304]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1392B8D2-5C05-419F-A8F6-B9F15A596612}"= "c:\program files\Freecorder\tbFre1.dll" [2008-07-08 1569304]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-07-24 1090816]

[HKEY_CLASSES_ROOT\clsid\{1392b8d2-5c05-419f-a8f6-b9f15a596612}]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lycosInside"="c:\program files\Outlook Express\lycos\Lyc_SysTray.exe" [2006-05-23 332840]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"Red Swoosh"="c:\program files\RSSoft\RedSwoosh.exe" [2006-08-14 61325]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-03 1603152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-16 2007832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-02-16 87336]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2008-10-13 50472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-01 520024]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-06-17 198160]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]
"RTDCPL"="RTDCPL.EXE" - c:\windows\system32\RTDCPL.exe [2005-07-08 12298240]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Jacob Kane\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-16 08:18 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickTV.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickTV.lnk
backup=c:\windows\pss\QuickTV.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\K-litePro\\k-litepro.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Retrospect\\Retrospect 7.5\\Retrospect.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\eMule\\emule.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Corel\\DVD9\\WinDVD.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\jacobkane2002\\codename gordon\\cg.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\jacobkane2002\\darwinia demo\\darwinia.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"c:\\Program Files\\Bethesda Softworks\\Fallout 3\\Fallout3.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
"10501:UDP"= 10501:UDP:muleudp
"10500:TCP"= 10500:TCP:muletcp
"2300:UDP"= 2300:UDP:A0E3UDP
"110:TCP"= 110:TCP:lycos mail
"110:UDP"= 110:UDP:lycosmail2

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/05/2009 16:14 64160]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [26/08/2009 18:32 28544]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/05/2008 20:42 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/05/2008 20:42 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [03/07/2008 11:41 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [03/07/2008 11:41 297752]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [17/04/2007 20:09 11032]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [06/08/2008 13:24 98488]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
R3 StkMini;AVerTV USB 2.0 Plus Video Capture;c:\windows\system32\drivers\StkMini.sys [15/02/2005 16:44 185792]
S2 gupdate1c9ef3e36f44ee2;Google Update Service (gupdate1c9ef3e36f44ee2);c:\program files\Google\Update\GoogleUpdate.exe [17/06/2009 12:24 133104]
S3 USBDFU;USBDFU;c:\windows\system32\drivers\usbdfu.sys --> c:\windows\system32\drivers\usbdfu.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PAVBOOT
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 23:27]

2009-08-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-08-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 11:24]

2009-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-17 11:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen
mStart Page = hxxp://uk.yahoo.com
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://uk.search.yahoo.com
IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
Trusted Zone: live.com\safety
TCP: {301BFBB0-15FE-4BA7-A1B7-1074B623CDF5} = 90.207.238.97,90.207.238.99
TCP: {AC23B537-CF21-47EE-A8B3-4608E71D1962} = 90.207.238.97,90.207.238.99
FF - ProfilePath - c:\documents and settings\Jacob Kane\Application Data\Mozilla\Firefox\Profiles\txye72e8.default\
FF - prefs.js: browser.search.selectedEngine - eBay.co.uk
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/|http://www.metoffice.gov.uk/weather/....youtube.com/| http://www.google.co.uk/
FF - component: c:\documents and settings\Jacob Kane\Application Data\Mozilla\Firefox\Profiles\txye72e8.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\documents and settings\Jacob Kane\Application Data\Mozilla\Firefox\Profiles\txye72e8.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFAlert.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 20:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3124801700-709339766-2285636846-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4f,78,0f,02,4c,31,c2,07,35,76,8d,3e,fb,ee,53,92,60,03,fb,ef,b2,f7,76,
83,a2,47,65,7c,dc,ee,88,ff,82,54,47,ee,32,7b,49,57,3d,39,77,46,0c,6a,ce,7c,\
"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-3124801700-709339766-2285636846-1006\Software\SecuROM\License information*]
"datasecu"=hex:6c,c0,79,63,93,e2,a7,28,6c,76,5c,66,f9,4c,30,38,8a,bc,0e,52,bd,
7d,52,99,53,dc,f9,97,b2,ea,2d,28,08,1c,18,80,01,99,e6,41,e8,3a,f5,43,38,03,\
"rkeysecu"=hex:cf,fd,36,ed,8f,83,8f,67,d5,d5,68,a4,04,da,e7,c7
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(11600)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-01 20:21
ComboFix-quarantined-files.txt 2009-09-01 19:21

Pre-Run: 67,216,232,448 bytes free
Post-Run: 67,271,733,248 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
285 --- E O F --- 2009-08-27 02:07

sjb007

Hi there

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  
  Code:

  :folderfind 
  *2009*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found at on your Desktop entitled SystemLook.txt