eightyd11

My main problem is that my applications with literally delete themselves. After I install programs a couple hours later when i try to open it again its not there. Usually only a few of essential files are missing. This has happened to me with iTunes, Utorrent, VLC media player, Warcraft III, Stopzilla, and Ventrilo.

At first I wasn't sure if files were actually being deleted or they just weren't being recognized, but I tested it and files literally would be in the folder and then they would disapear (sometimes in the middle of using the application which results in it crashing) Also, it seems to be only the applications that I am using.

When i run virus scans on stopzilla the same ones usually come up even tho stopzilla says it deletes it - one in particular: Haxdoor, heard of it? Antivirus 2009 i believe... i forget the rest. Right when all these viruses showed it is when my troubles started

Any ways. other than this theres nothing too big. Sometimes ill just hear sounds of windows opennin and stuff, sometimes popups will come up and say like application terminated or something. I used to have these files running called a.exe and b.exe but i fixed that i think.

so please help me. thanks.

DDS (Ver_09-06-26.01) - NTFSx86
Run by eightY-D at 23:09:56.39 on 07/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.871 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\iTunes\iTunes.exe
J:\new anki\anki.exe
C:\Documents and Settings\eightY-D\MSPAINT.EXE
C:\Program Files\Garena\Garena.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\eightY-D\Desktop\dds.scr
C:\Documents and Settings\eightY-D\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
mDefault_Search_URL = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: DefaultSearchHook Class: {c94e154b-1459-4a47-966b-4b843befc7db} - c:\program files\asksearch\bin\DefaultSearch.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: {1241cf30-a0f6-4a3f-9792-33c1a422bb0b} - c:\windows\system32\efcYRIcC.dll
BHO: ZILLAbar Browser Helper Object: {1827766b-9f49-4854-8034-f6ee26fcb1ec} - c:\program files\stopzilla!\SZSG.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {f8ac2fc7-67a3-48db-b835-00f0d9b1a7fa} - c:\windows\system32\xxyxUNhH.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [DAEMON Tools Lite] "j:\daemon tools lite\damon\daemon.exe" -autorun
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [VundoFixTool] c:\program files\vundofixtool\VundoFixTool.exe -boot
uRun: [msupdate] c:\\phfghd.exe
uRun: [phfghd.exe] c:\users\\appdata\local\microsoft\windows\explorer\phfghd.exe
uRun: [MsAdvisor.exe] c:\users\eighty-d\appdata\local\microsoft\windows\explorer\73485ypedfuer.exe
uRun: [WinUpd32] c:\windows\system32\WinUpd32.exe
uRun: [uTorrent] "j:\utorrent\uTorrent.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Six Engine] "c:\program files\asus\epu-4 engine\FourEngine.exe" -r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [mswinlogon] c:\windows\mswinlogon.exe
mRun: [systemupdate] c:\\73485ypedfuer.exe
mRun: [DRam prosessor] jtzosfnt.exe
mRun: [Twormer] c:\windows\system\tworm.exe
mRun: [test] test.exe
mRun: [windowslogin] msnmssngr.exe
mRun: [driver1] driver1.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [Adobe Reader Speed Launcher] "j:\akrobate\reader\Reader_sl.exe"
mRunServices: [DRam prosessor] jtzosfnt.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Cognac] c:\windows\temp\b.exe
StartupFolder: c:\docume~1\eighty-d\startm~1\programs\startup\limewi~1.lnk - c:\program files\limewire\LimeWire.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users.windows\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~4\office12\GR99D3~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office12\GRA8E1~1.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\xxyxUNhH

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-5-12 61328]
R2 Services32;Services32;c:\windows\fonts\winlogon.exe [2009-7-5 68608]
R2 Windows Services Agent;Windows Services Agent;c:\windows\system32\spool\winlogon.exe [2009-7-7 68608]
R3 GarenaPEngine;GarenaPEngine;c:\docume~1\eighty-d\locals~1\temp\YKY157.tmp [2009-7-9 18704]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2009-2-18 36864]
S2 ASKService;ASKService;c:\program files\askbardis\bar\bin\askservice.exe --> c:\program files\askbardis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\askupgrade.exe --> c:\program files\askbardis\bar\bin\ASKUpgrade.exe [?]
S2 ServicesZ;ServicesZ;"c:\windows\jva\explorerr.exe" --> c:\windows\jva\explorerr.exe [?]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]

=============== Created Last 30 ================

2009-07-09 22:12 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\AIM Toolbar
2009-07-09 22:12 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\Viewpoint
2009-07-09 22:12 <DIR> --d----- c:\docume~1\alluse~1.win\applic~1\acccore
2009-07-09 19:33 376 a------- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-09 19:33 4,056 a------- c:\windows\system32\drivers\kgpcpy.cfg
2009-07-07 19:44 0 a------- c:\windows\ge5vaes5v6.cab
2009-07-07 19:44 0 a------- c:\windows\v6vrs6b7bb.cab
2009-07-07 16:31 69,795 ---sh--- C:\BAYWR.png
2009-07-05 22:13 <DIR> --dsh--- c:\windows\system32\lowsec
2009-07-05 22:13 0 a------- c:\windows\system32\QxXxA.cab
2009-07-05 22:13 0 a------- c:\windows\system32\SxXxC.cab
2009-07-05 22:04 67,584 a------- C:\WINDOWSBOOTs.exe
2009-07-05 22:03 0 a------- c:\windows\libsebfsf.cab
2009-07-05 22:02 <DIR> --dshr-- c:\windows\Jva
2009-07-05 22:02 67,584 a------- C:\WINDOWSBOOT.exe
2009-07-01 20:51 1,024 a------- c:\windows\system32\PDF2IMG.dat
2009-06-28 11:18 200,704 a------- c:\windows\system32\lame_enc.dll
2009-06-28 11:18 <DIR> --d----- c:\program files\Arial CD Ripper
2009-06-19 10:51 <DIR> --d----- c:\program files\AirPort
2009-06-12 07:14 118 a------- c:\windows\system32\MRT.INI
2009-06-11 19:42 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-06-11 19:42 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-06-11 19:42 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-06-11 19:42 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-06-11 19:42 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-11 19:42 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-06-11 19:42 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-06-11 19:42 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-06-11 19:42 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-06-11 19:39 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-06-11 19:39 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-06-11 19:39 2,560 -------- c:\windows\system32\xpsp4res.dll

==================== Find3M ====================

2009-07-05 22:12 68,608 ---shr-- c:\windows\fonts\winlogon.exe
2009-07-05 10:36 188 a------- C:\phqgh.exe
2009-05-29 13:36 2,060,288 a------- c:\windows\system32\usbaaplrc.dll
2009-05-29 13:36 39,424 a------- c:\windows\system32\drivers\usbaapl.sys
2009-05-28 14:16 17,408 a----r-- c:\windows\system32\SZIO5.dll
2009-05-28 14:15 294,912 a----r-- c:\windows\system32\SZBase5.dll
2009-05-28 14:14 540,672 a----r-- c:\windows\system32\SZComp5.dll
2009-05-13 14:00 176,128 a------- C:\nss3.dll
2009-05-13 14:00 159,232 a------- C:\softokn3.dll
2009-05-13 14:00 81,920 a------- C:\FirePassword.exe
2009-05-13 14:00 73,728 a------- C:\nspr4.dll
2009-05-13 14:00 8,704 a------- C:\plc4.dll
2009-05-13 14:00 6,144 a------- C:\plds4.dll
2009-05-13 12:27 405,530 a------- c:\windows\jgjy56yt.exe
2009-05-12 14:13 61,328 a----r-- c:\windows\system32\drivers\SZKG.sys
2009-05-10 12:15 987,136 a------- C:\fomg.exe
2009-05-09 19:19 952,832 a------- C:\b4ooo4ot.exe
2009-05-09 13:12 643,584 ---shr-- c:\windows\test2.exe
2009-05-09 11:51 957,440 a------- C:\messenger.exe
2009-05-09 08:32 952,832 a------- c:\windows\boooot.exe
2009-05-07 19:48 405,530 a------- C:\346yturtkkh.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 21:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 21:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-23 18:31 135,168 a------- C:\yerhjpeddf.exe
2009-04-23 18:30 135,168 a------- C:\yerhjdf.exe
2009-04-23 18:29 141,312 a------- C:\yerhjhjdf.exe
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-16 12:34 516,122 ----h--- C:\73485ygjuer.exe
2009-04-15 17:10 401,408 ----h--- C:\yuegyuer.exe
2009-04-15 17:09 401,408 ----h--- c:\windows\cursors\supdate.exe
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-14 12:00 247,809 a---h--- c:\windows\cursors\lsass.exe
2006-06-24 15:48 32,768 a------- c:\windows\inf\UpdateUSB.exe
1997-05-16 08:52 32,528 a------- c:\documents and settings\eighty-d\OLEPRO32.DLL
1997-05-16 08:52 271,632 a------- c:\documents and settings\eighty-d\MSVCRT.DLL
1997-05-16 08:52 939,792 a------- c:\documents and settings\eighty-d\MFC42U.DLL
1997-05-16 08:52 941,840 a------- c:\documents and settings\eighty-d\MFC42.DLL
1997-05-16 08:52 330,512 a------- c:\documents and settings\eighty-d\MSPAINT.EXE
2009-03-21 19:21 4,668 a--sh--- c:\windows\system32\CcIRYcfe.ini2
2009-03-26 23:04 13,888 a--sh--- c:\windows\system32\HhNUxyxx.ini2
2008-04-13 17:12 399,386 ---shr-- c:\windows\system32\rvjxxmyc.exe

============= FINISH: 23:10:08.39 ===============

Attached Files

Attach.zip (5.6 KB, 1 views)

TheBruce1

Hello and welcome to TSF

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

========

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

=========

Your logs suggest the possibility that your computer was attacked by a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

==========

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3






* IMPORTANT !!! Place combofix.exe on your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.



Click on Yes, to continue scanning for malware.

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

eightyd11

thanks for responding. Forgot the mention that when i start my computer sometimes it stays at a black screen for about 15 minutes right after loading windows. I'm [not] sure if I'm suppose to compress the log or post it. oh well, here it is:

ComboFix 09-07-12.03 - eightY-D 07/13/2009 0:44.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1274 [GMT -7:00]
Running from: c:\documents and settings\eightY-D\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
ADS - system32: deleted 3747 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\eightY-D\LOCALS~1\Temp\1.wmv
c:\documents and settings\eightY-D\eightY-D
c:\documents and settings\eightY-D\MSPAINT.EXE
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\ahpnjo.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\akxqsu.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\akxzua.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\bapike.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\cbweqe.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\cieokc.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\clplvq.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\crvglp.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\cygbzu.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\czrxhu.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\dtwjmp.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\dvnmdx.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\foarln.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\fydjln.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\fzxhsp.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\iripnk.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\jvsyyb.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\latyti.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\lhiilg.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\lloloh.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\lmcktb.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\lmgrrf.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\lzfqeb.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\mdeqmq.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\mdrmno.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\mwsudm.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\obxxcn.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\onixrp.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\otoctv.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\qfqcbd.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\qjmudk.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\rkargh.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\shdjwn.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\szzfau.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\usceio.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\vjiwop.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\vkmfeg.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\vwndet.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\vzfsmb.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\wufttf.exe
c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\xbsedx.exe
C:\FirePassword.exe
C:\messenger.exe
C:\phqgh.exe
c:\recycler\S-1-5-21-1500877125-3993182770-3534099558-1005
c:\recycler\S-1-5-21-1500877125-3993182770-3534099558-500
C:\restore
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\windows\jgjy56yt.exe
c:\windows\sstem3~1
c:\windows\system32\bjuffakf.ini
c:\windows\system32\CcIRYcfe.ini
c:\windows\system32\CcIRYcfe.ini2
c:\windows\system32\fdumuqok.ini
c:\windows\system32\HhNUxyxx.ini
c:\windows\system32\HhNUxyxx.ini2
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\nohqlcph.ini
c:\windows\system32\qsajwexs.dll
c:\windows\system32\spool\winlogon.exe
c:\windows\system32\wyxaxtny.dll
c:\windows\system32\xbkxhdvu.ini
c:\windows\system32\yntxaxyw.ini
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
c:\windows\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job
C:\WINDOWSBOOT.exe

.
((((((((((((((((((((((((( Files Created from 2009-06-13 to 2009-07-13 )))))))))))))))))))))))))))))))
.

2009-07-13 07:58 . 2009-07-12 09:30 165240 ----a-r- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-07-13 01:09 . 2009-07-12 09:30 89104 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\NAVENG.SYS
2009-07-13 01:09 . 2009-07-12 09:30 876144 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\NAVEX15.SYS
2009-07-13 01:09 . 2009-07-12 09:30 371248 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\EECTRL.SYS
2009-07-13 01:09 . 2009-07-12 09:30 101936 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\ERASER.SYS
2009-07-13 01:09 . 2009-07-12 09:30 177520 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\NAVENG32.DLL
2009-07-13 01:09 . 2009-07-12 09:30 1181040 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\NAVEX32A.DLL
2009-07-13 01:09 . 2009-07-12 09:30 259368 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\ECMSVR32.DLL
2009-07-13 01:09 . 2009-07-12 09:30 2414128 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090712.035\CCERASER.DLL
2009-07-12 21:39 . 2009-07-12 09:30 396848 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSviA64.sys
2009-07-12 21:39 . 2009-07-12 09:30 292912 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSvix86.sys
2009-07-12 21:39 . 2009-07-12 09:30 276344 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys
2009-07-12 21:39 . 2009-07-12 09:30 447864 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSxpx86.dll
2009-07-12 21:39 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\Scxpx86.dll
2009-07-12 09:31 . 2009-07-12 09:30 554352 ----a-r- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-07-12 09:31 . 2009-07-12 09:31 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-07-12 09:31 . 2009-07-12 09:31 -------- d-----w- c:\documents and settings\eightY-D\Local Settings\Application Data\Downloaded Installations
2009-07-12 09:31 . 2009-07-12 09:30 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-07-12 09:31 . 2009-07-12 09:31 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-12 09:29 . 2009-07-12 09:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NortonInstaller
2009-07-12 09:29 . 2009-07-12 09:29 -------- d-----w- c:\program files\NortonInstaller
2009-07-12 09:27 . 2009-07-12 09:30 -------- d-----w- c:\documents and settings\eightY-D\Application Data\GetRightToGo
2009-07-12 09:25 . 2009-07-12 09:25 -------- d-----w- c:\program files\AIM Toolbar
2009-07-10 05:12 . 2009-07-10 05:12 -------- d-----w- c:\documents and settings\eightY-D\Local Settings\Application Data\AOL
2009-07-10 05:12 . 2009-07-10 05:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar
2009-07-10 05:12 . 2009-07-12 09:25 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Viewpoint
2009-07-10 05:12 . 2009-07-10 05:12 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\acccore
2009-07-08 22:40 . 2009-07-08 22:40 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2009-07-06 23:12 . 2009-07-08 01:35 -------- d-----w- c:\documents and settings\eightY-D\Application Data\vlc
2009-07-06 05:04 . 2009-07-06 05:04 67584 ----a-w- C:\WINDOWSBOOTs.exe
2009-07-06 05:02 . 2009-07-06 20:23 -------- d-sh--r- c:\windows\Jva
2009-07-02 03:51 . 2009-07-02 03:51 1024 ----a-w- c:\windows\system32\PDF2IMG.dat
2009-06-28 18:18 . 2003-01-27 08:23 200704 ----a-w- c:\windows\system32\lame_enc.dll
2009-06-28 18:18 . 2009-06-28 18:18 -------- d-----w- c:\program files\Arial CD Ripper
2009-06-22 22:51 . 2009-06-22 22:51 533880 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-06-19 17:51 . 2009-07-06 05:14 -------- d-----w- c:\program files\AirPort
2009-06-16 02:16 . 2009-06-19 20:04 -------- d-----w- c:\documents and settings\eightY-D\Local Settings\Application Data\FullTiltPoker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-13 07:49 . 2009-04-23 07:39 -------- d-----w- c:\documents and settings\eightY-D\Application Data\.anki
2009-07-13 07:49 . 2009-02-19 03:20 -------- d-----w- c:\documents and settings\eightY-D\Application Data\uTorrent
2009-07-13 01:07 . 2008-06-20 17:09 -------- d-----w- c:\program files\Warcraft III
2009-07-13 00:29 . 2008-04-25 03:47 -------- d-----w- c:\program files\Garena
2009-07-12 22:10 . 2009-07-12 09:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Symantec
2009-07-12 10:00 . 2009-06-03 07:34 -------- d-----w- c:\program files\iTunes
2009-07-12 09:31 . 2009-07-12 09:30 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton
2009-07-12 09:31 . 2009-07-12 09:31 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-07-12 09:31 . 2009-07-12 09:31 7386 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-07-12 09:31 . 2009-07-12 09:31 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-12 09:31 . 2007-06-27 22:15 -------- d-----w- c:\program files\Symantec
2009-07-12 09:31 . 2007-06-01 22:03 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-12 09:30 . 2009-07-12 09:30 396848 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvia64.sys
2009-07-12 09:30 . 2009-07-12 09:30 292912 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-12 09:30 . 2009-07-12 09:30 276344 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.sys
2009-07-12 09:30 . 2009-07-12 09:30 1290592 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-07-12 09:30 . 2009-07-12 09:30 136840 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-07-12 09:30 . 2009-07-12 09:30 447864 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\idsxpx86.dll
2009-07-12 09:30 . 2009-07-12 09:30 796016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-07-12 09:30 . 2009-07-12 09:30 -------- d-----w- c:\program files\Norton 360
2009-07-12 09:30 . 2009-07-12 09:30 -------- d-----w- c:\program files\Windows Sidebar
2009-07-12 09:25 . 2009-01-11 23:40 -------- d-----w- c:\program files\AIM6
2009-07-12 09:25 . 2005-12-15 05:44 -------- d-----w- c:\program files\Viewpoint
2009-07-11 08:35 . 2005-12-15 05:43 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-07-10 05:57 . 2006-10-02 22:31 -------- d-----w- c:\program files\STOPzilla!
2009-07-10 05:57 . 2006-01-13 05:54 -------- d-----w- c:\program files\LimeWire
2009-07-10 05:36 . 2009-02-22 08:08 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2009-07-10 02:34 . 2009-03-06 05:20 -------- d-----w- c:\documents and settings\eightY-D\Application Data\LimeWire
2009-07-10 02:33 . 2009-07-10 02:33 376 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2009-07-09 02:52 . 2009-02-21 03:32 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-07-06 05:15 . 2009-01-31 04:12 -------- d-----w- c:\program files\uTorrent
2009-07-06 05:15 . 2008-02-03 05:00 -------- d-----w- c:\program files\NJStar Japanese WP
2009-07-06 05:15 . 2007-11-29 02:21 -------- d-----w- c:\program files\Ventrilo
2009-07-06 05:13 . 2008-12-07 03:27 -------- d-----w- c:\program files\Bonjour
2009-07-05 00:35 . 2009-04-25 02:49 -------- d-----w- c:\documents and settings\eightY-D\Application Data\.matplotlib
2009-06-20 16:59 . 2009-02-18 19:53 -------- d-----w- c:\documents and settings\eightY-D\Application Data\DAEMON Tools
2009-06-16 02:13 . 2005-12-15 05:40 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 08:16 . 2009-02-19 01:25 -------- d-----w- c:\documents and settings\eightY-D\Application Data\Apple Computer
2009-06-03 07:35 . 2009-06-03 07:34 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-03 07:34 . 2008-12-31 22:12 -------- d-----w- c:\program files\iPod
2009-06-03 07:31 . 2009-06-03 07:30 -------- d-----w- c:\program files\QuickTime
2009-06-03 07:24 . 2009-06-03 07:24 75048 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-03 07:22 . 2009-06-03 07:22 -------- d-----w- c:\program files\Safari
2009-05-29 20:36 . 2009-06-03 07:27 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-05-29 20:36 . 2009-02-19 01:24 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-28 21:16 . 2009-05-28 21:16 17408 ----a-r- c:\windows\system32\SZIO5.dll
2009-05-28 21:15 . 2009-05-28 21:15 294912 ----a-r- c:\windows\system32\SZBase5.dll
2009-05-28 21:14 . 2009-05-28 21:14 540672 ----a-r- c:\windows\system32\SZComp5.dll
2009-05-24 05:05 . 2009-05-24 05:03 -------- d-----w- c:\program files\IM MP4 Thumbnail Trial
2009-05-24 04:48 . 2009-05-24 04:48 -------- d-----w- c:\program files\PSP Falcon
2009-05-24 03:59 . 2009-05-24 03:59 -------- d-----w- c:\documents and settings\eightY-D\Application Data\AVS4YOU
2009-05-24 03:59 . 2009-05-24 03:59 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVS4YOU
2009-05-24 03:59 . 2009-05-24 03:59 -------- d-----w- c:\program files\AVS4YOU
2009-05-24 03:59 . 2007-06-06 01:33 -------- d-----w- c:\program files\Common Files\AVSMedia
2009-05-20 19:46 . 2009-05-20 19:31 -------- d-----w- c:\documents and settings\eightY-D\Application Data\U3
2009-05-18 22:50 . 2009-02-22 08:09 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SITEguard
2009-05-13 21:00 . 2009-05-08 02:50 159232 ----a-w- C:\softokn3.dll
2009-05-13 21:00 . 2009-05-08 02:50 6144 ----a-w- C:\plds4.dll
2009-05-13 21:00 . 2009-05-08 02:50 8704 ----a-w- C:\plc4.dll
2009-05-13 21:00 . 2009-05-08 02:49 176128 ----a-w- C:\nss3.dll
2009-05-13 21:00 . 2009-05-08 02:49 73728 ----a-w- C:\nspr4.dll
2009-05-12 21:13 . 2009-05-12 21:13 61328 ----a-r- c:\windows\system32\drivers\SZKG.sys
2009-05-10 19:15 . 2009-05-10 19:14 987136 ----a-w- C:\fomg.exe
2009-05-10 02:19 . 2009-05-10 02:19 952832 ----a-w- C:\b4ooo4ot.exe
2009-05-09 20:12 . 2009-05-09 18:51 643584 --sh--r- c:\windows\test2.exe
2009-05-09 15:32 . 2009-05-09 15:32 952832 ----a-w- c:\windows\boooot.exe
2009-05-08 02:48 . 2009-05-08 02:48 405530 ----a-w- C:\346yturtkkh.exe
2009-05-07 15:32 . 2009-01-31 06:47 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 18:11 . 2009-05-06 18:11 69120 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\aimtbres.dll
2009-04-29 04:46 . 2009-01-31 06:48 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2009-01-31 06:47 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 01:31 . 2009-04-24 01:31 135168 ----a-w- C:\yerhjpeddf.exe
2009-04-24 01:30 . 2009-04-24 01:30 135168 ----a-w- C:\yerhjdf.exe
2009-04-24 01:29 . 2009-04-24 01:29 141312 ----a-w- C:\yerhjhjdf.exe
2009-04-17 12:26 . 2009-01-31 06:48 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 19:34 . 2009-04-16 19:34 516122 ---h--w- C:\73485ygjuer.exe
2009-04-16 00:10 . 2009-04-16 00:10 401408 ---h--w- C:\yuegyuer.exe
2009-04-16 00:09 . 2009-04-16 00:09 401408 ---h--w- c:\windows\Cursors\supdate.exe
2009-04-15 14:51 . 2009-01-31 06:48 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2008-04-14 00:12 . 2009-01-31 06:47 399386 --sh--r- c:\windows\system32\rvjxxmyc.exe
.

------- Sigcheck -------

[-] 2009-02-19 00:19 502272 6225F14B8CE08CCBA8B25AD27843C674 c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2009-03-25 00:53 507904 679A7259741F6A09994F02CE261B5F2E c:\windows\system32\winlogon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-11-25 03:25 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-11-25 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2009-02-24 203928]
"uTorrent"="j:\utorrent\uTorrent.exe" [2009-01-14 270128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-09 86016]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"Adobe Reader Speed Launcher"="j:\akrobate\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-16 16806400]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-09 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"j:\\roesta\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"j:\\roesta\\RosettaStoneVersion3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Documents and Settings\\David Jennings\\Desktop\\utorrent.exe"=
"j:\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5353:UDP"= 5353:UDP:Bonjour

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0300000.087\SymEFA.sys [07/12/2009 2:30 AM 310320]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [05/12/2009 2:13 PM 61328]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0300000.087\BHDrvx86.sys [07/12/2009 2:30 AM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0300000.087\cchpx86.sys [07/12/2009 2:30 AM 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users.WINDOWS\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090709.001\IDSXpx86.sys [07/12/2009 2:39 PM 276344]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe [07/12/2009 2:30 AM 115560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [07/12/2009 2:25 AM 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [07/12/2009 2:47 AM 101936]
R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [02/18/2009 4:19 PM 36864]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe --> c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [?]
S2 ServicesZ;ServicesZ;"c:\windows\Jva\explorerr.exe" --> c:\windows\Jva\explorerr.exe [?]
S2 Windows Services Agent;Windows Services Agent;"c:\windows\system32\\spool\winlogon.exe" --> c:\windows\system32\\spool\winlogon.exe [?]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\eightY-D\LOCALS~1\Temp\QBRA1.tmp --> c:\docume~1\eightY-D\LOCALS~1\Temp\QBRA1.tmp [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{1241CF30-A0F6-4A3F-9792-33C1A422BB0B} - c:\windows\system32\efcYRIcC.dll
BHO-{F8AC2FC7-67A3-48DB-B835-00F0D9B1A7FA} - c:\windows\system32\xxyxUNhH.dll
Toolbar-SITEguard - (no file)
HKCU-Run-DAEMON Tools Lite - j:\daemon tools lite\damon\daemon.exe
HKCU-Run-VundoFixTool - c:\program files\VundoFixTool\VundoFixTool.exe
HKCU-Run-phfghd.exe - c:\users\\AppData\Local\Microsoft\Windows\Explorer\phfghd.exe
HKCU-Run-MsAdvisor.exe - c:\users\eightY-D\AppData\Local\Microsoft\Windows\Explorer\73485ypedfuer.exe
HKLM-Run-Six Engine - c:\program files\ASUS\EPU-4 Engine\FourEngine.exe
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
HKLM-Run-GrooveMonitor - c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
HKLM-Run-systemupdate - c:\\73485ypedfuer.exe
HKLM-Run-Twormer - c:\windows\System\tworm.exe
HKLM-Run-AirPort Base Station Agent - c:\program files\AirPort\APAgent.exe
HKLM-Run-test - test.exe
HKLM-Run-windowslogin - msnmssngr.exe
HKLM-Run-driver1 - driver1.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=%s
IE: &AIM Toolbar Search - c:\documents and settings\All Users.WINDOWS\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-13 00:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.135\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.135\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\eightY-D\LOCALS~1\Temp\QBRA1.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1048)
c:\program files\Common Files\iS3\Anti-Spyware\iS3lsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Mozilla Firefox\firefox.exe
.
**************************************************************************
.
Completion time: 2009-07-13 1:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-13 08:06

Pre-Run: 14,101,200,896 bytes free
Post-Run: 14,701,584,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
354 --- E O F --- 2009-06-12 14:16

TheBruce1

Hello again

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

=======

You have several variants of Bot virus showing in your log. Even though the Virus has been identified and can be killed, because of it's backdoor functionality, there is no way to be sure what information has been stolen from your system. If you do any banking or have recently paid for goods or services online you will need to change all passwords where applicable and it would be wise to contact your bank or credit card company to inform them of your situation. This also applies to passwords for any confidential sites you use such as Paypal, Ebay, Email etc... The infection you have has the ability to download and execute files, log keystrokes, Redirect connections, Sniff sent packets for information & Steal personal information so it is a very serious threat.


You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Sometimes it's for the best to backup valued documents, format the machine, and start over. That is what I would advise. See this topic by our colleague, miekiemoes, entitled:

Where to draw the line

Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

========

P2P

P2P - I see you have P2P software (µTorrent, Vuze, Vuze Launcher and Vuze Toolbar) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are Here,
Here and Here.

=========

Click > Start > Control Panel > Add or Remove Programs and uninstall the following programs (:

Full Tilt Poker<---See Here for more information.
Viewpoint Media Player<---Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

Additional Information Here

=========

Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

========
Log Required
C:\Combofix.txt

TheBruce1

Do you still require assistance? If there is no reply to this post within 48hrs, this thread will be closed.

TheBruce1

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help