Generic Rootkit.d!rootkit (Trojan) Infection

[rbbns]

I have scanned over and over again, and McAfee says it is removed, but it reappears so it is not getting resolved. The browser (IE has difficulty opening and Firefox is redirected) is difficult to use. I am getting an excessive amount of popups, though the blocker is activated. The advertisements on webpages are for some sexual enhancements. Martha Stewart would have a fit if she knew about them on her site, I am sure. I ran through some preliminary steps from McAfee support by erasing cookies, temp files, history and pws. Restore will not run. Also seems to show up with NTOSKRNL-HOOK and Generic Artemis which the latter showing as potentially unwanted program. Please advise. I have taken the first steps and the information is as follows:




DDS (Ver_09-03-16.01) - NTFSx86
Run by Ann at 23:12:26.77 on Sat 03/28/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3317.2260 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Lenovo\Healthcare\HealthCare.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Gmail Notifier\gnotify.exe
C:\Windows\system32\taskeng.exe
C:\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Internet Download Manager\IDMan.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Creative Home\Hallmark Card Studio 2009\Planner\PLNRnote.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\IoctlSvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Internet Download Manager\IEMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Ann\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.comcast.net/a/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mWindow Title = Microsoft Internet Explorer provided by Comcast
mSearchAssistant = hxxp://www.comcast.net/toolbar2.0/search/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: foxnewstalk Toolbar: {5b79bc2a-25c2-4f2a-bb86-606ea88ab950} - c:\program files\foxnewstalk\tbfox1.dll
uURLSearchHooks: N/A: {06663b56-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
mURLSearchHooks: foxnewstalk Toolbar: {5b79bc2a-25c2-4f2a-bb86-606ea88ab950} - c:\program files\foxnewstalk\tbfox1.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Pando Search Assistant BHO: {06663b51-0d73-4f9f-bcc5-4aa941470afd} - c:\program files\pandobar\srchastt\1.bin\P4SRCHAS.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CInterceptor Object: {38d3fe60-3d53-4f37-bb0e-c7a97a26a156} - c:\program files\pando networks\pando\PandoIEPlugin.dll
BHO: foxnewstalk Toolbar: {5b79bc2a-25c2-4f2a-bb86-606ea88ab950} - c:\program files\foxnewstalk\tbfox1.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Pando Toolbar BHO: {e3ea4fd1-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: foxnewstalk Toolbar: {5b79bc2a-25c2-4f2a-bb86-606ea88ab950} - c:\program files\foxnewstalk\tbfox1.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Pando Toolbar: {e3ea4fd9-cade-4ae5-84f7-086eee888be4} - c:\program files\pandobar\bar\1.bin\PANDOBAR.DLL
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [IDMan] c:\internet download manager\IDMan.exe /onboot
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [<NO NAME>]
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Healthcare] c:\program files\lenovo\healthcare\HealthCare.exe /hide
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\gmail notifier\gnotify.exe
mRun: [HP Software Update] c:\hp\hp software update\HPWuSchd2.exe
mRun: [NWEReboot]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\users\ann\appdata\roaming\micros~1\windows\startm~1\programs\startup\eventp~1.lnk - c:\users\ann\appdata\roaming\microsoft\installer\{c4609419-c11e-4ce6-b369-f3f8a7ddd94c}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 85.255.112.198,85.255.112.70
TCP: {9EE754EF-78DE-419E-AA8A-34EDB33578FE} = 85.255.112.198,85.255.112.70
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\ann\appdata\roaming\mozilla\firefox\profiles\kx7pdocc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.myyahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\users\ann\appdata\roaming\idm\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\ann\appdata\roaming\mozilla\firefox\profiles\kx7pdocc.default\extensions\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}\components\FFAlert.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-26 64160]
R0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\system32\drivers\ddcdrv.sys [2008-9-27 13680]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 921936]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\system32\drivers\WUSB54GCx86.sys [2008-12-5 256000]
S3 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-9 602392]
S4 OKAV Agent Service;OKAV Agent Service;c:\program files\trend micro\okavagent\OKAVAgent.exe [2008-6-4 66824]

=============== Created Last 30 ================

2009-03-28 23:11 108 a---h--- C:\aaw7boot.cmd
2009-03-28 23:11 15,688 a------- c:\windows\system32\lsdelete.exe
2009-03-28 08:32 61,224 a------- c:\users\ann\GoToAssistDownloadHelper.exe
2009-03-27 22:38 249,856 a------- c:\windows\system32\pdfmona.dll
2009-03-27 22:38 51,716 a------- c:\windows\system32\pdf995mon.dll
2009-03-27 22:38 142 a------- c:\windows\wpd99.drv
2009-03-27 22:38 <DIR> --d----- c:\programdata\pdf995
2009-03-27 22:38 <DIR> --d----- c:\progra~2\pdf995
2009-03-26 20:42 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-26 20:42 <DIR> -cd-h--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-26 20:42 <DIR> -cd-h--- c:\progra~2\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-25 22:34 <DIR> --d----- c:\program files\PlayMe
2009-03-25 19:26 974,848 a------- c:\windows\vorbis.dll
2009-03-25 19:26 939,368 a------- c:\windows\flash.ocx
2009-03-25 19:26 393,216 a------- c:\windows\3D Christmas Cottage Full.scr
2009-03-25 19:26 49,152 a------- c:\windows\ogg.dll
2009-03-25 19:26 28,672 a------- c:\windows\vorbisfile.dll
2009-03-25 19:26 <DIR> --d----- c:\program files\ScreenSaver.com
2009-03-24 16:05 <DIR> --d----- c:\programdata\Lavasoft
2009-03-23 17:24 <DIR> --d----- c:\program files\Sony
2009-03-23 17:24 <DIR> --d----- c:\program files\common files\Sony Shared
2009-03-23 16:53 <DIR> --d----- c:\programdata\NOS
2009-03-23 16:39 <DIR> --d----- c:\programdata\kinoma
2009-03-23 16:39 <DIR> --d----- c:\progra~2\kinoma
2009-03-23 16:22 <DIR> --d----- c:\programdata\Apple Computer
2009-03-23 00:29 <DIR> --d----- C:\PC HugWare
2009-03-22 15:29 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-22 11:33 <DIR> --d----- c:\programdata\Adobe
2009-03-21 22:57 <DIR> --d----- c:\programdata\Broderbund Software
2009-03-21 22:57 <DIR> --d----- c:\progra~2\Broderbund Software
2009-03-21 17:01 <DIR> --d-h--- c:\programdata\yahoo!
2009-03-21 17:00 <DIR> --d----- c:\programdata\Yahoo! Companion
2009-03-21 17:00 <DIR> --d----- c:\programdata\Google
2009-03-21 14:14 <DIR> --d----- c:\program files\LizardTech
2009-03-21 13:58 <DIR> --d----- c:\users\ann\appdata\roaming\Moyea
2009-03-21 13:57 <DIR> --d----- c:\program files\Moyea
2009-03-14 09:51 <DIR> --d----- c:\program files\Windows Live Toolbar
2009-03-06 19:42 885 a------- C:\net_save.dna
2009-03-06 19:41 <DIR> --d----- c:\program files\Support.com
2009-03-04 17:54 <DIR> --d----- c:\users\ann\appdata\roaming\NeroDigital™
2009-03-03 20:46 <DIR> --d----- c:\program files\PCStitch 7
2009-03-03 20:05 <DIR> --d----- c:\users\ann\appdata\roaming\Creative Home
2009-03-01 14:31 <DIR> --d----- c:\program files\common files\ODBC
2009-03-01 13:39 <DIR> --d----- c:\program files\NeroInstall.bak
2009-03-01 13:28 <DIR> --d----- c:\programdata\Nero
2009-03-01 13:28 <DIR> --d----- c:\program files\Nero
2009-03-01 13:28 <DIR> --d----- c:\progra~2\Nero
2009-02-27 17:48 <DIR> --d----- c:\program files\common files\PX Storage Engine
2009-02-27 17:48 <DIR> --d----- c:\windows\system32\IOSUBSYS

==================== Find3M ====================

2009-03-23 19:51 4,270 a------- c:\users\ann\appdata\roaming\wklnhst.dat
2009-03-23 17:25 51,200 a------- c:\windows\inf\infpub.dat
2009-03-23 17:25 86,016 a------- c:\windows\inf\infstrng.dat
2009-03-23 17:25 86,016 a------- c:\windows\inf\infstor.dat
2009-02-08 01:49 1,024 a------- c:\program files\1pdfspl.dll
2009-01-22 10:49 206,256 a------- c:\windows\system32\idmmbc.dll
2009-01-15 02:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-04 18:37 196,608 a------- c:\windows\system32\avisynth.dll
2009-01-04 18:37 33,280 a------- c:\windows\system32\HUFFYUV.DLL
2008-12-29 17:16 737,280 a------- c:\windows\iun6002.exe
2008-12-05 20:28 763 a------- c:\program files\hpzinstall.log
2008-09-27 14:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-20 22:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:12:55.45 ===============

I am a pretty senior woman, so please advise patiently! :)

Thank you.

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[rbbns]

my results


thank you.

ComboFix 09-03-28.04 - Ann 2009-03-29 2:29:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3317.2090 [GMT -4:00]
Running from: c:\users\Ann\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\PlayMe
c:\program files\PlayMe\Uninstall.exe
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\programdata\Microsoft\Windows\Start Menu\Programs\PlayMe\Uninstall.lnk
c:\recycler\S-3-1-53-100008462-100016370-100000576-9178.com
c:\users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PlayMe
c:\windows\system32\drivers\gaopdxsimnqxkrxmefdpqxvsuvchwdeoqjnvvi.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxidxytrjimoxtcaiftvihmxvgerupkitc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 23:11 . 2009-01-18 17:35 15,688 --a------ c:\windows\System32\lsdelete.exe
2009-03-28 08:32 . 2009-03-28 08:32 61,224 --a------ c:\users\Ann\GoToAssistDownloadHelper.exe
2009-03-27 22:38 . 2009-03-27 22:38 <DIR> d-------- c:\users\All Users\pdf995
2009-03-27 22:38 . 2009-03-27 22:38 <DIR> d-------- c:\programdata\pdf995
2009-03-27 22:38 . 2009-03-27 22:38 249,856 --a------ c:\windows\System32\pdfmona.dll
2009-03-27 22:38 . 2009-03-27 22:38 51,716 --a------ c:\windows\System32\pdf995mon.dll
2009-03-27 22:38 . 2007-08-24 12:13 142 --a------ c:\windows\wpd99.drv
2009-03-26 20:42 . 2009-03-26 20:42 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-26 20:42 . 2009-03-26 20:42 <DIR> d--h-c--- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-26 20:42 . 2009-01-18 17:30 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-03-25 19:26 . 2009-03-25 19:26 <DIR> d-------- c:\program files\ScreenSaver.com
2009-03-25 19:26 . 2004-04-29 14:24 974,848 --a------ c:\windows\vorbis.dll
2009-03-25 19:26 . 2004-04-08 07:51 939,368 --a------ c:\windows\flash.ocx
2009-03-25 19:26 . 2004-11-19 17:33 393,216 --a------ c:\windows\3D Christmas Cottage Full.scr
2009-03-25 19:26 . 2004-04-29 14:24 49,152 --a------ c:\windows\ogg.dll
2009-03-25 19:26 . 2004-04-29 14:24 28,672 --a------ c:\windows\vorbisfile.dll
2009-03-24 16:05 . 2009-03-26 20:42 <DIR> d-------- c:\users\All Users\Lavasoft
2009-03-24 16:05 . 2009-03-26 20:42 <DIR> d-------- c:\programdata\Lavasoft
2009-03-23 17:24 . 2009-03-23 17:25 <DIR> d-------- c:\program files\Sony
2009-03-23 17:24 . 2009-03-23 17:24 <DIR> d-------- c:\program files\Common Files\Sony Shared
2009-03-23 16:53 . 2009-03-23 17:15 <DIR> d-------- c:\users\All Users\NOS
2009-03-23 16:53 . 2009-03-23 17:15 <DIR> d-------- c:\programdata\NOS
2009-03-23 16:39 . 2009-03-23 16:39 <DIR> d-------- c:\users\All Users\kinoma
2009-03-23 16:39 . 2009-03-23 16:39 <DIR> d-------- c:\programdata\kinoma
2009-03-23 16:39 . 2009-03-23 16:39 <DIR> d-------- c:\program files\DIFX
2009-03-23 16:22 . 2009-03-24 06:55 <DIR> d-------- c:\users\All Users\Apple Computer
2009-03-23 16:22 . 2009-03-24 06:55 <DIR> d-------- c:\programdata\Apple Computer
2009-03-23 00:29 . 2009-03-23 00:29 <DIR> d-------- C:\PC HugWare
2009-03-22 15:29 . 2009-03-22 15:29 <DIR> d-------- c:\program files\Java
2009-03-22 15:29 . 2009-03-22 15:29 410,984 --a------ c:\windows\System32\deploytk.dll
2009-03-22 11:33 . 2009-03-22 11:33 <DIR> d-------- c:\users\All Users\Adobe
2009-03-21 22:57 . 2009-03-21 22:57 <DIR> d-------- c:\users\All Users\Broderbund Software
2009-03-21 22:57 . 2009-03-21 22:57 <DIR> d-------- c:\programdata\Broderbund Software
2009-03-21 17:01 . 2009-03-21 17:01 <DIR> d--h----- c:\users\All Users\yahoo!
2009-03-21 17:01 . 2009-03-21 17:01 <DIR> d--h----- c:\programdata\yahoo!
2009-03-21 17:00 . 2009-03-21 17:00 <DIR> d-------- c:\users\All Users\Yahoo! Companion
2009-03-21 17:00 . 2009-03-21 17:00 <DIR> d-------- c:\users\All Users\Google
2009-03-21 17:00 . 2009-03-21 17:00 <DIR> d-------- c:\programdata\Yahoo! Companion
2009-03-21 14:14 . 2009-03-21 14:14 <DIR> d-------- c:\program files\LizardTech
2009-03-21 13:58 . 2009-03-21 13:58 <DIR> d-------- c:\users\Ann\AppData\Roaming\Moyea
2009-03-21 13:57 . 2009-03-21 13:57 <DIR> d-------- c:\program files\Moyea
2009-03-14 09:51 . 2009-03-14 09:51 <DIR> d-------- c:\program files\Windows Live Toolbar
2009-03-06 19:42 . 2009-03-06 19:42 885 --a------ C:\net_save.dna
2009-03-06 19:41 . 2009-03-06 19:42 <DIR> d-------- c:\program files\Support.com
2009-03-04 17:54 . 2009-03-04 17:54 <DIR> d-------- c:\users\Ann\AppData\Roaming\NeroDigital™
2009-03-03 20:46 . 2009-03-03 20:46 <DIR> d-------- c:\program files\PCStitch 7
2009-03-03 20:05 . 2009-03-03 20:05 <DIR> d-------- c:\users\Ann\AppData\Roaming\Creative Home
2009-03-01 13:39 . 2009-03-01 13:39 <DIR> d-------- c:\program files\NeroInstall.bak
2009-03-01 13:32 . 2009-03-01 13:32 <DIR> d-------- c:\users\Ann\AppData\Roaming\Nero
2009-03-01 13:28 . 2009-03-21 14:30 <DIR> d-------- c:\users\All Users\Nero
2009-03-01 13:28 . 2009-03-21 14:30 <DIR> d-------- c:\programdata\Nero
2009-03-01 13:28 . 2009-03-01 13:28 <DIR> d-------- c:\program files\Nero
2009-03-01 13:28 . 2009-03-01 13:30 <DIR> d-------- c:\program files\Common Files\Nero

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 06:18 --------- d-----w c:\users\Ann\AppData\Roaming\DMCache
2009-03-28 02:38 --------- d-----w c:\program files\PDF995
2009-03-23 23:51 4,270 ----a-w c:\users\Ann\AppData\Roaming\wklnhst.dat
2009-03-23 21:15 --------- d-----w c:\program files\NOS
2009-03-21 18:28 --------- d-----w c:\program files\Yahoo!
2009-03-21 18:27 --------- d-----w c:\program files\Hewlett-Packard
2009-03-21 18:26 --------- d-----w c:\program files\Google
2009-03-21 18:24 --------- d-----w c:\program files\HP
2009-03-21 18:23 --------- d-----w c:\program files\Lavasoft
2009-03-21 18:14 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 17:55 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-03-12 17:22 --------- d-----w c:\users\Ann\AppData\Roaming\Image Zone Express
2009-03-11 00:42 --------- d-----w c:\program files\foxnewstalk
2009-03-04 18:56 --------- d-----w c:\program files\Essentials Codec Pack
2009-03-01 23:14 --------- d-----w c:\program files\Microsoft Help
2009-03-01 18:32 --------- d-----w c:\program files\Microsoft Works
2009-03-01 18:31 --------- d-----w c:\program files\Microsoft.NET
2009-03-01 17:46 --------- d-----w c:\program files\Desktop Notepad
2009-02-27 21:48 --------- d-----w c:\program files\Common Files\PX Storage Engine
2009-02-27 00:27 --------- d-----w c:\program files\PandoBar
2009-02-27 00:27 --------- d-----w c:\program files\Pando Networks
2009-02-26 21:24 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-20 23:44 --------- d-----w c:\users\Ann\AppData\Roaming\TaxCut
2009-02-20 23:27 --------- d-----w c:\program files\TaxCut
2009-02-18 23:57 --------- d-----w c:\users\Ann\AppData\Roaming\IDM
2009-02-16 23:05 --------- d-----w c:\program files\ImTOO
2009-02-14 16:58 --------- d-----w c:\program files\Auction Sentry
2009-02-10 20:50 --------- d-----w c:\program files\Windows Mail
2009-02-08 17:21 --------- d-----w c:\program files\Microsoft SQL Server
2009-02-08 16:48 --------- d-----w c:\program files\Yahoo! Companion
2009-02-08 05:49 1,024 ----a-w c:\program files\1pdfspl.dll
2009-02-08 05:46 --------- d-----w c:\program files\8848soft
2009-02-08 05:29 --------- d-----w c:\program files\AdultPDF
2009-02-04 03:21 --------- d-----w c:\program files\AAAPDF
2009-02-04 02:54 --------- d-----w c:\users\Ann\AppData\Roaming\Thinstall
2009-02-03 17:57 --------- d-----w c:\program files\Creative Home
2009-02-03 17:57 --------- d-----w c:\program files\Common Files\Nova Development
2009-02-03 17:28 --------- d-----w c:\program files\burnatonce
2009-02-03 17:06 --------- d-----w c:\program files\NCH Software
2009-02-03 17:05 --------- d-----w c:\program files\NCH Swift Sound
2009-01-31 21:37 --------- d-----w c:\program files\Astro22 V7
2009-01-22 14:49 206,256 ----a-w c:\windows\System32\idmmbc.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\System32\GPhotos.scr
2009-01-04 22:37 33,280 ----a-w c:\windows\System32\HUFFYUV.DLL
2009-01-04 22:37 196,608 ----a-w c:\windows\System32\avisynth.dll
2008-12-29 21:16 737,280 ----a-w c:\windows\iun6002.exe
2008-12-06 00:28 763 ----a-w c:\program files\hpzinstall.log
2008-01-21 02:43 174 --sha-w c:\program files\desktop.ini
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}"= "c:\program files\foxnewstalk\tbfox1.dll" [2009-03-10 1883672]
"{06663B56-0D73-4f9f-BCC5-4AA941470AFD}"= "c:\program files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL" [2009-02-26 61440]

[HKEY_CLASSES_ROOT\clsid\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}]

[HKEY_CLASSES_ROOT\clsid\{06663b56-0d73-4f9f-bcc5-4aa941470afd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}]
2009-03-10 20:42 1883672 --a------ c:\program files\foxnewstalk\tbfox1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3EA4FD1-CADE-4ae5-84F7-086EEE888BE4}]
2009-02-26 20:27 266240 --a------ c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}"= "c:\program files\foxnewstalk\tbfox1.dll" [2009-03-10 1883672]
"{E3EA4FD9-CADE-4ae5-84F7-086EEE888BE4}"= "c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2009-02-26 266240]

[HKEY_CLASSES_ROOT\clsid\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5B79BC2A-25C2-4F2A-BB86-606EA88AB950}"= "c:\program files\foxnewstalk\tbfox1.dll" [2009-03-10 1883672]
"{E3EA4FD9-CADE-4AE5-84F7-086EEE888BE4}"= "c:\program files\PandoBar\bar\1.bin\PANDOBAR.DLL" [2009-02-26 266240]

[HKEY_CLASSES_ROOT\clsid\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}]

[HKEY_CLASSES_ROOT\clsid\{e3ea4fd9-cade-4ae5-84f7-086eee888be4}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\VeriFace Enc]
@="{771C7324-DA80-49D3-8017-753B0AF60951}"
[HKEY_CLASSES_ROOT\CLSID\{771C7324-DA80-49D3-8017-753B0AF60951}]
2008-09-27 14:07 241752 --a------ c:\windows\system32\IcnOvrly.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-20 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-20 125952]
"IDMan"="c:\internet download manager\IDMan.exe" [2009-01-22 2745776]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-14 39408]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-20 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Healthcare"="c:\program files\Lenovo\Healthcare\HealthCare.exe" [2008-02-23 466944]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\gmail notifier\gnotify.exe" [2005-07-15 479232]
"HP Software Update"="c:\hp\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-22 148888]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-18 506712]

c:\users\Ann\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Event Planner Reminder 2009.lnk - c:\users\Ann\AppData\Roaming\Microsoft\Installer\{C4609419-C11E-4CE6-B369-F3F8A7DDD94C}\Shortcut_EventPlan_E2FBA8F7F7FD4C5EAA7D652BB0CAAA9D.exe [2009-02-03 237568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.clmp3enc"= c:\progra~1\Lenovo\Power2Go\CLMP3Enc.ACM
"msacm.ac3filter"= ac3filter.acm
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk
backup=c:\windows\pss\Audible Download Manager.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Forget Me Not.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Forget Me Not.lnk
backup=c:\windows\pss\Forget Me Not.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^tisspwiz.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\tisspwiz.lnk
backup=c:\windows\pss\tisspwiz.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 03:38 34672 c:\program files\adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2007-09-19 03:38 154136 c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2007-09-19 03:39 141848 c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
--a------ 2009-01-25 14:17 196608 c:\program files\Essentials Codec Pack\WECPUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 17:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando]
--a------ 2009-02-19 07:40 3913032 c:\program files\Pando Networks\Pando\pando.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2007-09-19 03:39 129560 c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 11:30 413696 c:\program files\quicktime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search Protection]
--a------ 2008-10-07 11:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefaultSCR]
--a------ 2008-08-07 18:08 98304 c:\program files\Lenovo\Lenovo Screensaver\SetDefaultSCR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeriFaceManager]
--a------ 2008-09-27 14:07 2916352 c:\program files\Lenovo\VeriFaceIII\PManage.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-10-07 11:23 111856 c:\program files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
--a------ 2008-05-20 06:06 6144000 c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B362437F-A281-4FAC-A84D-262560D8F749}"= UDP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{9CC59888-2E22-4F3C-84AF-301143AAD301}"= TCP:c:\windows\System32\migwiz\migwiz.exe:Windows Easy Transfer
"{93506456-074E-4E4E-A532-0094382C4111}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent
"{3FBA41D9-1F7D-44E3-A786-9D53C4AE9194}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A6112EB3-956A-47E8-8DB6-AADC0F9325AB}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{E28A719D-B060-43FF-BEFF-BC794D219E63}"= UDP:c:\windows\explorer.exe:TCP
"{9F88D242-0B5A-476F-9E48-C958AD71138F}"= TCP:c:\windows\explorer.exe:TCP
"{74D83A62-3409-4C01-B295-62B133F2A769}"= UDP:c:\windows\System32\ftp.exe:UDP
"{5777555B-20B1-4D32-935E-1999B0DCEB50}"= TCP:c:\windows\System32\ftp.exe:UDP
"{6F906A6B-EB94-4570-8A2C-49AA850FF249}"= UDP:56433:Pando P2P TCP Listening Port
"{EEA1A158-96E9-4F69-8D31-18364B8659BB}"= TCP:56433:Pando P2P UDP Listening Port
"{818660DD-1954-48AD-BC4D-CC5AF8B01FC9}"= UDP:58662:Pando P2P TCP Listening Port
"{6AD66038-550F-43A5-86E5-3C39BA951F22}"= TCP:58662:Pando P2P UDP Listening Port
"2febaf68-dc72-47b1-9856-a7d51ac68e8a"= %ProgramFiles%\Pando Networks\Pando\pando.exe:Pando Inbound
"{DC416268-76A8-4781-B3BD-E61D5D27B8ED}"= UDP:c:\program files\Pando Networks\Pando\pando.exe:Pando Application
"{C89D5B7D-8866-4006-8C60-EE94C6EA7D22}"= TCP:c:\program files\Pando Networks\Pando\pando.exe:Pando Application
"{4E6F6576-E904-4548-BC0A-EE4C28088B01}"= UDP:57465:Pando P2P TCP Listening Port
"{9C3CCFCD-CD0F-4ABA-A858-3A7017006196}"= TCP:57465:Pando P2P UDP Listening Port

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-26 64160]
R0 WinI2C-DDC;WinI2C-DDC Kernel Mode Driver;c:\windows\System32\drivers\ddcdrv.sys [2008-09-27 13680]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe [2008-01-11 30312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 921936]
R2 regi;regi;c:\windows\System32\drivers\regi.sys [2007-04-17 11032]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-11-24 29263712]
S3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [2008-12-05 256000]
S3 YahooAUService;Yahoo! Updater;c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe [2008-11-09 602392]
S4 OKAV Agent Service;OKAV Agent Service;c:\program files\Trend Micro\OKAVAgent\OKAVAgent.exe [2008-06-04 66824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{79854753-8cbc-11dd-bfc8-806e6f6e6963}]
\shell\AutoRun\command - f:\setup\autorun\autorun.exe
\shell\install\command - F:\setup.exe
\shell\readfile\command - notepad readme.txt
.
Contents of the 'Scheduled Tasks' folder

2009-03-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:34]

2009-03-29 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 18:54]

2009-03-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 17:32]

2009-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 17:32]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
MSConfigStartUp-DNP - c:\program files\Desktop Notepad\Desktop Notepad.exe
MSConfigStartUp-Unattend0000000001{630DEC53-CECA-49A3-896C-B064A4DC05AA} - c:\windows\test.bat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/a/
mStart Page = hxxp://www.yahoo.com
mWindow Title = Microsoft Internet Explorer provided by Comcast
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Download all links with IDM - c:\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/SmileyCentralInitialSetup1.0.1.1.cab
FF - ProfilePath - c:\users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\kx7pdocc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc7&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.myyahoo.com
FF - prefs.js: keyword.URL - about:neterror?e=query&u=
FF - component: c:\users\Ann\AppData\Roaming\IDM\idmmzcc2\components\idmmzcc.dll
FF - component: c:\users\Ann\AppData\Roaming\Mozilla\Firefox\Profiles\kx7pdocc.default\extensions\{5b79bc2a-25c2-4f2a-bb86-606ea88ab950}\components\FFAlert.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPPandBr.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 02:47:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\Ann\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-661485259-3402989404-3228515569-1004_Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):c1,92,84,93,fb,08,05,db,85,66,2b,4e,a6,67,3c,90,60,92,6b,9c,da,
3a,0d,e8,9f,91,5e,ac,75,98,81,06,7e,b2,c9,5e,3a,bc,f5,89,00,00,00,00,00,00,\

[HKEY_USERS\S-1-5-21-661485259-3402989404-3228515569-1004_Classes\CLSID\{b7211b4b-c76b-4fc0-b53f-6410d48672cb}]
@Denied: (Full) (Everyone)
@Allowed: (Read) (RestrictedCode)
"Model"=dword:00000038
"Therad"=dword:0000000b
"MData"=hex(0):33,a7,dc,ae,60,f1,72,6b,5b,5c,ef,76,13,f1,c6,66,a5,41,44,f3,46,
c2,b0,a7,05,98,32,02,34,2b,da,61,56,75,65,4b,2f,cd,3e,9f,bc,6e,be,df,4a,d6,\
.
Completion time: 2009-03-29 2:49:14
ComboFix-quarantined-files.txt 2009-03-29 06:49:12

Pre-Run: 219,849,891,840 bytes free
Post-Run: 219,894,489,088 bytes free

338 --- E O F --- 2009-03-01 23:14:16

[chemist]

Hello rbbns. Please tell us how your system is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AutoUpdateDisableNotify"=dword:00000000

Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected.
• It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[rbbns]

The Kapersky scan is taking a very long time with the externals attached. However, there does not seem to be anything extremely disturbing on the report thus far. I will discontinue the scan on the external drive within the next hour or so, if nothing further appears. There has not been anything other than a toolbar issue show. I will post the report in my next post. I have had some issues with starting IE. I generally run both browsers but in separate windows as I have better results from running Firefox for streaming radio, and IE for other purposes. Is there a conflict by doing this?

[rbbns]

Something happened to my scan. I have to start over.

[chemist]

Should be OK to run IE and FF at the same time.

Sorry you are having trouble. If Kaspersky won't complete, let me know and we can try another scanner.

[rbbns]

Something happened to my scan. I have to start over.

[rbbns]

My Kapersky Scan for Drive C:

Please advise :
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 06:29:33
Records in database: 1988910
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 213758
Threat name: 1
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 02:40:29


File name / Threat name / Threats count
C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL/C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll/C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\p4Plugin.DLL/C:\Program Files\PandoBar\bar\1.bin\p4Plugin.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL/C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\NPPANDBR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\P4HIGHIN.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\P4PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1

The selected area was scanned.

[chemist]

Hello again, rbbns. How is your system behaving?

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Pando
Pando Toolbar<<Please read this

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

"C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll"

) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (

"C:\Program Files\PandoBar"


) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this Notepad file as fix.bat and choose to Save as type: - All Files then close the Notepad file.
It should look like this:

Double-click on fix.bat to run it.

Tell me what it says in your next reply. Press any key to continue.

------------------------------------------------------

[rbbns]

My Kapersky Scan for Drive C:

Please advise :
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 31, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 31, 2009 06:29:33
Records in database: 1988910
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
F:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 213758
Threat name: 1
Infected objects: 10
Suspicious objects: 0
Duration of the scan: 02:40:29


File name / Threat name / Threats count
C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL/C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll/C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\p4Plugin.DLL/C:\Program Files\PandoBar\bar\1.bin\p4Plugin.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL/C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\Mozilla Firefox\plugins\NPPandBr.dll Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\NPPANDBR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\P4HIGHIN.EXE Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\P4PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\bar\1.bin\PANDOBAR.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1
C:\Program Files\PandoBar\SrchAstt\1.bin\P4SRCHAS.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.ek 1

The selected area was scanned.

[chemist]

Not sure why you re-posted your Kaspersky report. My instructions in Post #10 above took care of those.

[rbbns]

i JUST HAD A MCAFEE POPUP WITH THIS MESSAGE AND TO REMOVE THE FILE.

PLEASE ADVISE ABOUT THIS?


McAfee has blocked a potentially unwanted program (PUP) on your computer. If you do not recognize it, we recommend that you remove the program.

About this Potentially Unwanted Program
Name: RemAdm-ProcLaunch!171
Location: C:\Users\Ann\Desktop\ComboFix.exe

Spyware, adware, and other potentially unwanted programs can harm your computer, compromise its security, and damage valuable files.

[rbbns]

it was deleted successfully.

it must have been an oversight on my part to post it twice. i believe i had a lag and must have clicked twice. am sorry about that.

the computer is running ok. i know that i have had some issues but did not think i had any until the major trojan problem arose which, now i believe, was a file stored on an external for some time. i had transferred data to this computer from a different computer and i have an issue in my windows file where "restored folder" keeps popping up from someplace. i think that must be a microsoft issue and i have never pursued fixing it. sometimes it is hard to find someone who even knows what your issue is because it can be some quirky thing never encountered before. i have deleted both pando and toolbar, wasn't even using them.

the scans on the externals by kapersky didn't have any indications of a pest.

ann

[chemist]

Hello again, rbbns.

Quote:

McAfee has blocked a potentially unwanted program (PUP) on your computer.

Sometimes AV scanners flag ComboFix as potentially unwanted because the 'innards' of ComboFix look like malware. Nothing to worry about. Please don't remove it. We need it on your desktop in order for ComboFix to uninstall properly. If you deleted it, you will have to re-download ComboFix to your desktop before uninstalling it.

Not sure about the restored folder problem. You could ask about that in our Windows Vista Support Forum

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Please disable McAfee before uninstalling ComboFix and then re-enable it after doing so.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore Points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  
• Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[rbbns]

FYI if not known:


Please Note: the original IE-SPYAD format that used .REG files to load and unload the Restricted Sites list is no longer available and will not be maintained. The same holds true for IE-SPYAD2. Both are replaced by what used to be called IE-SPYAD for ZonedOut. ZonedOut is a free utility that loads and unloads a plain text list of domains into the Restricted sites zone. You can think of ZonedOut as an improved replacement for the .BAT file utility used in the "original" IE-SPYAD. This new version of IE-SPYAD provides the same protection as the old version, but is easier to use and maintain.

Additionally, I have been reluctant to use some of the free scanners because I have found that some have added other little tricks to the package, either on toolbars, or in registry cleaners. I will continue to browse this forum in the hopes of furthering my understanding of maintaining my computer. I appreciate your kind help, and though it will not meet with the value of your service, I will make a donation.

[chemist]

I have all those programs on my machine and they are all trustworthy.

You're very welcome, rbbns! Glad to have helped.