Search engine redirecting to adware websites, cannot run new antimalware programs

[wind_chariot]

Google search engine is redirecting me to some adware websites. Instead of legitimate adverts from doubleclick and google adverts, I am getting adverts for some adult websites and products (at the same place where generally google adverts are located) on websites like BBC world news and yahoo news. For once, in BBC website, the '******' advert was redirecting me to 'youhip.com'. I have downloaded Superantispyware and Malwarebytes' after I got infected but it doesnt allow these antimalwares to run. I cannot run Spybot as well. It has deleted all my previous restore points. I can use my some programs like McAfee antivirus and Ad-Aware anniversary edition but I can not use 'auto update' feature on them. Needless to say, in current conditions, ther are not able to recognise the malware.

Here, I am posting DDS log and attaching attach.txt and ark.txt in a zip file as advised.

Please help me.






DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 18:13:00.91 on Sat 04/11/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2045.938 [GMT 5.5:30]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Novell\Client\XTier\Services\XTSvcMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Dell Network Assistant\hnm_svc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Windows\system32\STacSV.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\TUProgSt.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\nwtray.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.Exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\bhushan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\DellTPad\HidFind.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\bhushan\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://www.google.com/
uWindow Title = Internet Explorer provided by Dell
uSearch Bar =
mStart Page = hxxp://www.yahoo.com/?.home=ytie
mDefault_Page_URL = hxxp://www.yahoo.com/?.home=ytie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {0a87e45f-537a-40b4-b812-e2544c21a09f} - SpywareBlock Class
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\Scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {8C550565-107B-4FEE-B2CC-9B6B12CE53F6} - No File
TB: {47D66F71-DAC2-439C-836D-18C055AF389C} - No File
TB: {F6387320-2466-42C3-9E7C-6A7BD7BD1F61} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 120\axcmd.exe" /automount
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Google Update] "c:\users\bhushan\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [SigmatelSysTrayApp] c:\program files\sigmatel\c-major audio\wdm\sttray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\paspor~1.lnk - c:\windows\installer\{b70103ef-9e31-4878-a6ab-e77cac7d9ca7}\NewShortcut1.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\windows\installer\{7f0c4457-8e64-491b-8d7b-991504365d1e}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{14fcfe7c-ab86-428a-9d2e-bfb6f5a7aa6e}\Icon3E5562ED7.ico
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\orbitdownloader\orbitmxt.dll/202
IE: Download &Flash Movies - c:\program files\flash2x\flash hunter\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {5699BDDB-A771-4E54-ACBB-BE86921D7892} - {5699BDDB-A771-4E54-ACBB-BE86921D7892}
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: 2adultflashgames.com\www
Trusted Zone: 56.com\www
Trusted Zone: forumflicks.com\www
Trusted Zone: funny-games.biz\www
Trusted Zone: mysexgames.com\www
Trusted Zone: usagreetings.com\www
Trusted Zone: voyeurweb.com\video
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
TCP: NameServer = 85.255.112.96,85.255.112.11
TCP: {2F43782C-203E-43C3-8D2A-C0295990D6FD} = 85.255.112.96,85.255.112.11
TCP: {BAEB3BD3-2EA9-483B-ACB2-7CBDF3988084} = 85.255.112.96,85.255.112.11
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 ncv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\users\bhushan\appdata\roaming\mozilla\firefox\profiles\a47o6zyz.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - plugin: c:\program files\google\google earth plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.133.37\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\bhushan\appdata\local\google\update\1.2.141.5\npGoogleOneClick7.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-9 64160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-5-26 141312]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-10 951632]
R2 NCFSD;Novell Client File System Redirector;c:\program files\novell\client\xtier\drivers\ncfsd.sys [2008-7-10 80400]
R2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\novell\client\xtier\drivers\ncioctl.sys [2008-7-10 41488]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2008-2-11 810320]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-4-1 603904]
R2 XTSvcMgr;Novell XTier Service Manager;c:\program files\novell\client\xtier\services\xtsvcmgr.exe [2007-8-16 16656]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-8-16 179712]
S2 gupdate1c985d1db8f2b1c;Google Update Service (gupdate1c985d1db8f2b1c);c:\program files\google\update\GoogleUpdate.exe [2009-2-3 133104]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2009-3-24 55280]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-8-16 30192]

=============== Created Last 30 ================

2009-04-11 15:16 <DIR> --d----- c:\program files\Trend Micro
2009-04-10 21:43 4,224 a------- c:\windows\system32\dllcache\beep.sys
2009-04-10 21:43 <DIR> --d----- c:\windows\system32\dllcache
2009-04-10 21:43 16,384 a------- c:\windows\system32\tskill.exe
2009-04-10 21:43 <DIR> --d----- c:\program files\Remove-it
2009-04-10 21:13 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-10 21:13 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-10 21:13 <DIR> --d----- c:\programdata\Malwarebytes
2009-04-10 21:13 <DIR> --d----- c:\progra~2\Malwarebytes
2009-04-10 21:13 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-10 20:54 204,868,845 a------- c:\windows\MEMORY.DMP
2009-04-10 20:53 <DIR> --d----- c:\users\bhushan\appdata\roaming\SUPERAntiSpyware.com
2009-04-10 20:53 <DIR> --d----- c:\program files\sas
2009-04-10 15:24 32,768 a------- c:\windows\VMZoom.exe
2009-04-10 15:24 24,576 a------- c:\windows\VMPipe.dll
2009-04-10 15:24 389,788 a------- c:\windows\system32\drivers\usbVM303.sys
2009-04-10 15:24 192,576 a------- c:\windows\system32\VM303Prp.Ax
2009-04-10 15:24 102,400 a------- c:\windows\VM303Cap.exe
2009-04-10 15:24 81,920 a------- c:\windows\system32\VM303Sti.dll
2009-04-10 15:24 61,440 a------- c:\windows\VM303_STI.exe
2009-04-10 15:24 53,248 a------- c:\windows\Sti303.exe
2009-04-10 15:24 <DIR> --d----- c:\windows\EffectResources
2009-04-10 15:24 <DIR> --d----- c:\windows\CatRoot
2009-04-10 15:24 <DIR> --d----- c:\program files\Vimicro
2009-04-09 20:12 15,688 a------- c:\windows\system32\lsdelete.exe
2009-04-09 18:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-04-09 18:37 <DIR> -cd-h--- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-09 18:37 <DIR> -cd-h--- c:\progra~2\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-09 18:37 <DIR> --d----- c:\programdata\Lavasoft
2009-04-06 09:46 <DIR> --d----- c:\program files\VideoLAN
2009-04-01 22:59 <DIR> --d----- c:\programdata\Raxco
2009-04-01 22:57 <DIR> --d----- c:\program files\Raxco
2009-04-01 20:04 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-04-01 20:04 27,904 a------- c:\windows\system32\uxtuneup.dll
2009-04-01 20:04 17,152 a------- c:\windows\system32\authuitu.dll
2009-04-01 20:04 360,192 a------- c:\windows\system32\TuneUpDefragService.exe
2009-04-01 20:03 <DIR> --d----- c:\users\bhushan\appdata\roaming\TuneUp Software
2009-04-01 20:03 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-04-01 20:03 <DIR> --d----- c:\programdata\TuneUp Software
2009-04-01 20:03 <DIR> --d----- c:\progra~2\TuneUp Software
2009-04-01 20:02 <DIR> --dsh--- c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-01 20:02 <DIR> --dsh--- c:\progra~2\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-31 15:18 0 a------- c:\windows\PowerReg.dat
2009-03-31 15:17 <DIR> --d----- c:\program files\Infogrames Interactive
2009-03-31 15:13 <DIR> --d----- c:\program files\Elaborate Bytes
2009-03-24 17:41 83,968 a------- c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys
2009-03-24 14:52 <DIR> --d----- c:\users\bhushan\appdata\roaming\Windows Live Writer
2009-03-24 01:39 <DIR> --d----- c:\users\bhushan\Tracing
2009-03-24 01:37 <DIR> --d----- c:\program files\Microsoft Office Outlook Connector
2009-03-24 01:37 55,280 a------- c:\windows\system32\drivers\fssfltr.sys
2009-03-24 01:33 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-03-24 01:30 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-03-18 13:15 <DIR> --d----- c:\program files\common files\Windows Live
2009-03-15 17:24 0 a---h--- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-03-13 10:22 <DIR> --d----- c:\program files\Muziic
2009-03-12 21:00 142,504 a------- c:\windows\system32\ElbyVCD.dll
2009-03-12 19:25 <DIR> --d----- c:\program files\Wisdom-soft ScreenHunter 5 Free

==================== Find3M ====================

2009-04-11 17:20 54,503 a------- c:\users\bhushan\appdata\roaming\nvModes.dat
2009-04-10 15:42 143,360 a------- c:\windows\inf\infstrng.dat
2009-04-10 15:42 86,016 a------- c:\windows\inf\infstor.dat
2009-04-10 15:42 51,200 a------- c:\windows\inf\infpub.dat
2009-04-06 21:10 22,328 a------- c:\users\bhushan\appdata\roaming\PnkBstrK.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-02 17:11 29,184 a------- c:\windows\system32\drivers\VClone.sys
2009-02-23 15:59 231,176 a------- c:\windows\system32\PDBoot.exe
2009-02-17 22:41 24,232 a------- c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 19:03 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-02-09 08:40 2,033,152 a------- c:\windows\system32\win32k.sys
2009-02-06 19:03 307,576 a------- c:\windows\WLXPGSS.SCR
2009-02-06 18:52 49,504 a------- c:\windows\system32\sirenacm.dll
2009-01-27 14:13 262,144 a------- c:\windows\system32\gfbaksm.dat
2009-01-15 15:35 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 15:35 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 15:34 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 15:34 109,056 a------- c:\windows\system32\iesysprep.dll
2009-01-15 15:34 132,096 a------- c:\windows\system32\ieUnatt.exe
2009-01-15 15:34 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-01-15 15:34 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-01-15 15:34 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-01-15 15:34 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-01-15 15:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 15:33 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 15:33 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 15:33 66,560 a------- c:\windows\system32\wextract.exe
2009-01-15 15:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-01-15 15:31 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 15:30 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 15:30 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 15:20 156,160 a------- c:\windows\system32\msls31.dll
2008-12-04 04:14 174 a--sh--- c:\program files\desktop.ini
2008-12-04 03:57 665,600 a------- c:\windows\inf\drvindex.dat
2007-08-22 08:04 0 a------- c:\users\bhushan\appdata\roaming\wklnhst.dat
2006-11-02 18:09 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 18:09 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 18:09 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 18:09 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 14:50 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 14:50 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 14:50 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 14:50 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2007-08-31 04:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-08-31 04:06 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-08-31 04:06 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat

============= FINISH: 18:14:30.92 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

While Spybot's TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent tools from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your logs are clean.

• Open Spybot Search & Destroy.
• In the Mode menu click "Advanced mode" if not already selected.
• Choose "Yes" at the Warning prompt.
• Expand the "Tools" menu.
• Click "Resident".
• Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
• If TeaTimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
• In the File menu click "Exit" to exit Spybot Search & Destroy.

------------------------------------------------------

Please follow the instructions at the bottom of this page for resetting TeaTimer:

http://forums.spybot.info/showthread.php?t=3177

DO NOT follow the very last instruction to restart TeaTimer! We will do that when you are clean.

------------------------------------------------------

If for some reason during these fixes you receive prompts from Spybot about whether to Allow or Deny any changes, please Allow them all.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[wind_chariot]

Hello.

Thank you for the reply.

As I have mentioned, I am not able to open or run Spybot S&D, Malwarebytes' and Superantispyware. Foe example, whenever I open Spybot, it says 'Spybot - Search & Destroy has stopped working'. It happens since i found that my computer is infected. Something is not allowing it to run. So, i am not able to deactivate 'TeaTimer' as I cannot even open Spybot program.

I am able to run AdAware Anniversary edition, Spyware Terminator, and McAfee Antivirus though. AdAware and Spyware terminator are not able to perform 'online update'. So far, none of these programs have identified anything.

What should I do? Should I run ComboFix without deactivating TeaTimer?

[chemist]

Try uninstalling Spybot. You can reinstall it when you are clean. If you still have trouble, run ComboFix in Safe Mode.

[wind_chariot]

Ok. I have uninstalled spybot. After that, I ran ComboFix as guided by the link you sent. I am posting the long below. But, after running it, I was not able to connect to the internet. I restarted my computer several times. I tried to repair the connection several times as suggested. Nothing worked. That's why, I had to use system restore point to get my connection back. After restoring my computer to original state, i got my connection back.

FYI, this thing happened before. I managed to download Malwarebytes' by renaming it while downloading, installing and running it. It worked fine after that. I found 27 infections in total. I removed all of them as suggested by software. But, after that I lost my connection. After repairing and restarting several times, I couldn't get my connection back. So, on that occasion I had to use system restore point to get back to previous state. At that time too I got my connection back after restoring. If you want, I can post the log file I got from Malwarebytes'.

So, I guess I am removing a file or files which are infected and they are causing me to loose my internet connection. What should I do now?

This is the log file from ComboFix. As I have mentioned above, after using ComboFix, I had to use system restore. So, everything removed by ComboFix is back in my computer right now. It is as infected as it was before using ComboFix.


ComboFix 09-04-13.A2 - owner 2009-04-13 22:10.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.2045.1057 [GMT 5.5:30]
Running from: c:\users\bhushan\Desktop\ComboFix.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxxbyrupumrpvnywbwonteqokctxiqijdf.sys
c:\windows\system32\gaopdxuxbxmcquiimpfmarfibxwcrpeqjxgufq.dll
c:\windows\system32\MabryObj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys
-------\Legacy_PACKET
-------\Service_Packet


((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-13 11:51 . 2009-04-13 16:38 4 ----a-w c:\windows\system32\gaopdxcounter
2009-04-13 10:08 . 2009-04-06 10:02 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-13 10:08 . 2009-04-06 10:02 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-13 10:08 . 2009-04-13 10:08 -------- d-----w c:\users\All Users\Malwarebytes(10)
2009-04-13 10:08 . 2009-04-13 10:08 -------- d-----w c:\programdata\Malwarebytes(10)
2009-04-13 09:46 . 2009-04-14 02:02 -------- d-----w c:\users\All Users\Malwarebytes
2009-04-13 09:46 . 2009-04-14 02:02 -------- d-----w c:\programdata\Malwarebytes
2009-04-10 16:13 . 2009-04-10 16:13 -------- d-----w c:\windows\system32\dllcache
2009-04-10 16:13 . 2004-08-10 19:00 4224 ----a-w c:\windows\system32\dllcache\beep.sys
2009-04-10 16:13 . 2004-08-10 19:00 16384 ----a-w c:\windows\system32\tskill.exe
2009-04-10 15:24 . 2009-04-12 07:14 150080685 ----a-w c:\windows\MEMORY.DMP
2009-04-10 09:54 . 2005-05-18 05:25 32768 ----a-w c:\windows\VMZoom.exe
2009-04-10 09:54 . 2005-05-18 05:24 24576 ----a-w c:\windows\VMPipe.dll
2009-04-10 09:54 . 2009-04-10 11:44 -------- d-----w c:\windows\CatRoot
2009-04-10 09:54 . 2009-04-10 09:54 -------- d-----w c:\windows\EffectResources
2009-04-10 09:54 . 2005-07-14 11:56 192576 ----a-w c:\windows\system32\VM303Prp.Ax
2009-04-10 09:54 . 2005-07-14 07:29 389788 ----a-w c:\windows\system32\drivers\usbVM303.sys
2009-04-10 09:54 . 2005-06-23 05:43 61440 ----a-w c:\windows\VM303_STI.exe
2009-04-10 09:54 . 2005-05-02 11:15 53248 ----a-w c:\windows\Sti303.exe
2009-04-10 09:54 . 2005-04-30 13:16 81920 ----a-w c:\windows\system32\VM303Sti.dll
2009-04-10 09:54 . 2005-04-30 13:16 102400 ----a-w c:\windows\VM303Cap.exe
2009-04-09 14:42 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-09 13:10 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-09 13:07 . 2009-04-09 13:07 -------- dc-h--w c:\users\All Users\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-09 13:07 . 2009-04-09 13:07 -------- dc-h--w c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-09 13:07 . 2009-04-09 13:10 -------- d-----w c:\users\All Users\Lavasoft
2009-04-09 13:07 . 2009-04-09 13:10 -------- d-----w c:\programdata\Lavasoft
2009-04-01 17:29 . 2009-04-01 17:29 -------- d-----w c:\users\All Users\Raxco
2009-04-01 17:29 . 2009-04-01 17:29 -------- d-----w c:\programdata\Raxco
2009-04-01 14:34 . 2009-04-01 14:34 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-01 14:34 . 2008-12-11 08:01 17152 ----a-w c:\windows\system32\authuitu.dll
2009-04-01 14:34 . 2008-12-11 08:01 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-01 14:34 . 2009-04-01 14:34 360192 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-01 14:33 . 2009-04-01 14:33 -------- d-----w c:\users\All Users\TuneUp Software
2009-04-01 14:33 . 2009-04-01 14:33 -------- d-----w c:\programdata\TuneUp Software
2009-04-01 14:32 . 2009-04-01 14:32 -------- d-sh--w c:\users\All Users\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-01 14:32 . 2009-04-01 14:32 -------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-03-31 09:48 . 2009-03-31 09:48 0 ----a-w c:\windows\PowerReg.dat
2009-03-24 12:11 . 2009-03-24 12:11 83968 ----a-w c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys
2009-03-24 09:22 . 2009-03-24 09:22 -------- d-----w c:\users\bhushan\AppData\Local\Windows Live Writer
2009-03-23 20:09 . 2009-04-13 16:30 -------- d-----w c:\users\bhushan\Tracing
2009-03-23 20:07 . 2009-04-09 13:10 -------- dc----w c:\windows\system32\DRVSTORE
2009-03-23 20:07 . 2009-02-06 12:38 55280 ----a-w c:\windows\system32\drivers\fssfltr.sys
2009-03-15 11:54 . 2009-03-15 11:54 0 ---ha-w c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-14 02:03 . 2009-04-13 09:46 -------- d-----w c:\program files\MBblah
2009-04-13 17:11 . 2007-08-20 20:35 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-04-13 17:11 . 2007-08-20 20:35 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-04-13 17:11 . 2007-08-20 20:35 65536 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-04-13 17:11 . 2009-04-13 17:11 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-04-13 17:11 . 2009-04-13 17:11 2048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-04-13 17:10 . 2009-04-09 14:54 7319 ----a-w C:\aaw7boot.log
2009-04-13 13:03 . 2007-08-21 18:10 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-13 13:03 . 2007-08-21 18:10 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-13 11:48 . 2009-01-22 12:01 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat
2009-04-13 11:48 . 2009-01-22 12:01 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat
2009-04-13 11:48 . 2009-01-22 12:01 16384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
2009-04-13 11:24 . 2009-04-13 10:08 -------- d-----w c:\program files\Mbblah(6)
2009-04-13 09:42 . 2009-02-21 07:30 -------- d-----w c:\program files\FrostWire
2009-04-12 19:04 . 2008-04-24 05:07 -------- d-----w c:\programdata\Google Updater
2009-04-11 15:22 . 2007-08-22 01:30 -------- d-----w c:\program files\Logitech
2009-04-11 09:46 . 2009-04-11 09:46 -------- d-----w c:\program files\Trend Micro
2009-04-10 16:13 . 2009-04-10 16:13 -------- d-----w c:\program files\Remove-it
2009-04-10 16:03 . 2009-04-10 16:02 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009041020090411\index.dat
2009-04-10 15:46 . 2009-01-28 11:37 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
2009-04-10 15:36 . 2009-04-10 15:23 -------- d-----w c:\program files\sas
2009-04-10 15:18 . 2007-09-27 19:04 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-04-10 11:44 . 2009-04-10 09:54 -------- d-----w c:\program files\Vimicro
2009-04-10 10:12 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-10 10:12 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-10 10:12 . 2006-11-02 10:25 143360 ----a-w c:\windows\Inf\infstrng.dat
2009-04-10 10:10 . 2007-08-16 03:57 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-09 13:07 . 2007-08-21 17:57 -------- d-----w c:\program files\Lavasoft
2009-04-06 15:32 . 2009-03-12 12:15 -------- d-----w c:\program files\Ubisoft
2009-04-06 04:16 . 2009-04-06 04:16 -------- d-----w c:\program files\VideoLAN
2009-04-05 05:43 . 2007-08-16 04:06 -------- d-----w c:\program files\Google
2009-04-02 15:08 . 2009-02-27 15:20 -------- d-----w c:\program files\Electronic Arts
2009-04-02 15:05 . 2008-06-22 17:16 -------- d-----w c:\programdata\Electronic Arts
2009-04-01 17:29 . 2009-04-01 17:27 -------- d-----w c:\program files\Raxco
2009-04-01 14:33 . 2009-04-01 14:33 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-03-31 09:47 . 2009-03-31 09:47 -------- d-----w c:\program files\Infogrames Interactive
2009-03-31 09:43 . 2009-03-31 09:43 -------- d-----w c:\program files\Elaborate Bytes
2009-03-30 05:05 . 2007-08-21 21:51 7592 ----a-w c:\users\bhushan\AppData\Local\d3d9caps.dat
2009-03-25 05:50 . 2007-08-16 03:55 -------- d-----w c:\program files\Java
2009-03-23 20:07 . 2009-03-23 20:07 -------- d-----w c:\program files\Microsoft Office Outlook Connector
2009-03-23 20:07 . 2008-12-16 19:07 -------- d-----w c:\program files\Windows Live
2009-03-23 20:05 . 2009-03-23 20:05 -------- d-----w c:\program files\Microsoft Sync Framework
2009-03-23 20:03 . 2009-03-23 20:03 -------- d-----w c:\program files\Microsoft SQL Server Compact Edition
2009-03-23 20:00 . 2009-01-21 21:49 -------- d-----w c:\program files\Microsoft
2009-03-23 20:00 . 2009-03-23 20:00 -------- d-----w c:\program files\Windows Live SkyDrive
2009-03-18 07:45 . 2009-03-18 07:45 -------- d-----w c:\program files\Common Files\Windows Live
2009-03-13 04:52 . 2009-03-13 04:52 -------- d-----w c:\program files\Muziic
2009-03-12 15:30 . 2009-03-12 15:30 142504 ----a-w c:\windows\System32\ElbyVCD.dll
2009-03-12 13:55 . 2009-03-12 13:55 -------- d-----w c:\program files\Wisdom-soft ScreenHunter 5 Free
2009-03-12 12:20 . 2009-03-12 12:20 -------- d-----w c:\programdata\Media Center Programs
2009-03-11 07:42 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-11 05:31 . 2007-08-21 19:04 -------- d-----w c:\programdata\Microsoft Help
2009-03-08 23:49 . 2009-01-02 15:21 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-07 09:27 . 2009-03-07 09:27 -------- d-----w c:\program files\FreeGamePick.com
2009-03-02 11:41 . 2009-03-02 11:41 29184 ----a-w c:\windows\system32\drivers\VClone.sys
2009-03-02 07:04 . 2009-03-02 07:04 -------- d-----w c:\program files\Any Video Converter
2009-03-02 06:21 . 2009-03-02 06:21 -------- d-----w c:\documents and settings\ReleaseEngineer.MACROVISION\Application Data\Media Player Classic
2009-03-02 06:00 . 2009-03-02 06:00 -------- d-----w c:\program files\AML Products
2009-02-27 15:08 . 2009-02-27 15:08 -------- d-----w c:\programdata\DAEMON Tools Pro
2009-02-26 15:30 . 2007-08-20 20:35 131408 ----a-w c:\users\bhushan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-02-26 15:27 . 2008-06-11 17:35 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 05:11 . 2007-09-26 17:10 -------- d-----w c:\program files\Xider
2009-02-23 10:29 . 2009-02-23 10:29 231176 ----a-w c:\windows\System32\PDBoot.exe
2009-02-21 07:24 . 2009-02-21 07:24 -------- d-----w c:\program files\AskSBar
2009-02-21 06:54 . 2009-02-10 12:32 -------- d-----w c:\program files\LimeWire
2009-02-19 09:10 . 2009-02-19 09:10 -------- d-----w c:\program files\RamBooster 2.0
2009-02-18 06:39 . 2009-02-18 06:38 -------- d-----w c:\program files\Scorched3D
2009-02-17 17:11 . 2009-02-17 17:11 24232 ----a-w c:\windows\system32\drivers\ElbyCDIO.sys
2009-02-17 13:33 . 2009-02-17 13:33 89256 ----a-w c:\windows\System32\ElbyCDIO.dll
2009-02-09 03:10 . 2009-03-11 05:14 2033152 ----a-w c:\windows\System32\win32k.sys
2009-02-06 13:33 . 2009-02-06 13:33 307576 ----a-w c:\windows\WLXPGSS.SCR
2009-02-06 13:22 . 2009-02-06 13:22 49504 ----a-w c:\windows\System32\sirenacm.dll
2009-02-01 07:44 . 2009-02-01 07:44 32768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
2009-02-01 07:44 . 2009-02-01 07:44 32768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2009-02-01 07:44 . 2009-02-01 07:44 16384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2009-02-01 07:44 . 2009-02-01 07:44 16384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2009-01-27 08:43 . 2009-01-27 08:43 262144 ----a-w c:\windows\System32\gfbaksm.dat
2009-01-15 10:05 . 2009-01-28 10:06 911872 ----a-w c:\windows\System32\wininet.dll
2009-01-15 10:05 . 2009-01-28 10:06 43008 ----a-w c:\windows\System32\licmgr10.dll
2009-01-15 10:04 . 2009-01-28 10:06 18944 ----a-w c:\windows\System32\corpol.dll
2009-01-15 10:04 . 2009-01-28 10:06 109056 ----a-w c:\windows\System32\iesysprep.dll
2009-01-15 10:04 . 2009-01-28 10:06 132096 ----a-w c:\windows\System32\ieUnatt.exe
2009-01-15 10:04 . 2009-01-28 10:06 109568 ----a-w c:\windows\System32\PDMSetup.exe
2009-01-15 10:04 . 2009-01-28 10:06 107520 ----a-w c:\windows\System32\RegisterIEPKEYs.exe
2009-01-15 10:04 . 2009-01-28 10:06 107008 ----a-w c:\windows\System32\SetIEInstalledDate.exe
2009-01-15 10:04 . 2009-01-28 10:06 103936 ----a-w c:\windows\System32\SetDepNx.exe
2009-01-15 10:03 . 2009-01-28 10:06 420352 ----a-w c:\windows\System32\vbscript.dll
2009-01-15 10:03 . 2009-01-28 10:06 72704 ----a-w c:\windows\System32\admparse.dll
2009-01-15 10:03 . 2009-01-28 10:06 71680 ----a-w c:\windows\System32\iesetup.dll
2009-01-15 10:03 . 2009-01-28 10:06 66560 ----a-w c:\windows\System32\wextract.exe
2009-01-15 10:02 . 2009-01-28 10:06 169472 ----a-w c:\windows\System32\iexpress.exe
2009-01-15 10:01 . 2009-01-28 10:06 34304 ----a-w c:\windows\System32\imgutil.dll
2009-01-15 10:00 . 2009-01-28 10:06 48128 ----a-w c:\windows\System32\mshtmler.dll
2009-01-15 10:00 . 2009-01-28 10:06 45568 ----a-w c:\windows\System32\mshta.exe
2009-01-15 09:50 . 2009-01-28 10:06 156160 ----a-w c:\windows\System32\msls31.dll
2008-12-03 22:44 . 2006-11-02 12:48 174 --sha-w c:\program files\desktop.ini
2007-08-21 18:51 . 2007-08-21 18:51 95 ----a-w c:\users\bhushan\AppData\Local\fusioncache.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-21 68856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-23 203720]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"Google Update"="c:\users\bhushan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-12-26 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-05-11 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-22 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-17 184320]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-04 30192]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2007-08-30 205480]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-27 405504]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-05 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-05 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-05 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-05 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2009-01-30 52392]
"NWTRAY"="NWTRAY.EXE" [2007-08-16 c:\windows\System32\nwtray.exe]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PASPortal.lnk - c:\windows\Installer\{B70103EF-9E31-4878-A6AB-E77CAC7D9CA7}\NewShortcut1.exe [2008-07-10 40960]
QuickSet.lnk - c:\windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-08-16 45056]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2007-12-21 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 ncv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
--a------ 2009-03-10 00:36 515416 c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
c:\program files\DAP\DAP.EXE [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEraseTraces]
c:\program files\Inocentric\IEraseTraces\ierasetraces.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2007-08-30 10:50 205480 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
--a------ 2007-07-26 01:32 563984 c:\program files\Common Files\logishrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
--a------ 2007-07-26 01:36 2027792 c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
--a------ 2006-11-17 23:09 136768 c:\program files\McAfee\Common Framework\UdaterUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mindful]
--a------ 2006-07-01 11:55 393728 c:\program files\Felitec\Mindful\Mindful.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
c:\program files\MSN Messenger\msnmsgr.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
c:\program files\MySpace\IM\MySpaceIM.exe [BU]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
--a------ 2006-11-30 18:20 112216 c:\program files\McAfee\VirusScan Enterprise\shstat.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 23:01 22880040 c:\program files\Skype\Phone\Skype.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"EvJOWall"=c:\program files\EvJOSoft\Wallpaper Changer\EvJOWall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"Windows Defender"=%ProgramFiles%\Windows Defender\MSASCui.exe -hide
"SpywareTerminator"="c:\program files\Spyware Terminator\SpywareTerminatorShield.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{45231234-E0DC-4D92-B349-6B6EAC18436F}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{A4073075-4B26-49CE-8DC5-0030C57D339F}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{FB339622-4370-4347-826A-7EA5698C8487}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{6B927F7D-29A6-42CA-B368-3A7F89E47F2F}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{FC3129E4-5ED9-4476-AC47-D04B0CC700E0}"= UDP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{ED847F01-4F2F-413A-8B10-94B5DC894807}"= TCP:c:\program files\Dell Network Assistant\ezi_hnm2.exe:Dell Network Assistant
"{6D1F1034-7DA0-42A4-AD79-FF017B33435F}"= TCP:10421:SingleClick Discovery Protocol
"{C582DC8D-7CE9-4D24-8DC7-FD62F9CA3D14}"= UDP:139:NetBIOS File/Printer Sharing
"{31AF4A58-0D65-472B-844E-768C75BF4E5E}"= TCP:10426:SingleClick ICC
"{48BF6BFB-B737-44EF-80A8-224564F5F864}"= UDP:445:Microsoft Directory Services
"{8036CC5B-FFCF-4252-980F-DAD5AE160CDA}"= TCP:138:NetBIOS Datagram Service
"{07A17D73-53B2-40EF-9D34-1D5F8AF86121}"= TCP:137:NetBIOS Name Service
"{4A4FA1C0-5403-40DD-A4DE-B06C71956E69}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B4632227-CF8A-4CCA-A567-AF69654D8E9C}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3DAC9138-BBDF-4A26-9650-1AF2DB2902EA}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{F8D7DF1B-942B-4D6F-9D5A-0259941F2C0A}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{276BBEA0-679E-47B0-BB3C-C89965102FF2}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{944090F5-EE8E-4EE0-AA3D-71EF8DC2F5F9}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BECFBD2B-530B-4392-B5E6-4D652D147483}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AE9AE37F-A38C-4561-92CF-012DE39B864C}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{DA9E0385-6D60-4E55-93EC-B43404DEC111}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{6D23B1B3-80EF-4264-9719-EC281FB67EB8}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{A825D3BA-A7DD-4310-8E4C-55638FE930AB}c:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:c:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"TCP Query User{B056A5BC-CCC4-4995-9C88-0E092DCC6691}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{986A7B1A-2ABE-46A6-BFCD-D1EEC4FA5A2E}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{DFB56FAC-185D-4F48-BDB1-7E03B9367DDE}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{D8E4D35E-65C4-434A-8999-EE5E770613C6}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{87959546-3750-41E1-8A5E-4CCD87E74054}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{022BB7BF-4C52-44B8-9DE0-0C77EAD2782F}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{7D69AB14-874D-4F05-8C49-FDE67910DC55}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{81EB3F6E-8335-4A7D-BE62-73C3A0489014}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{53B5F7B1-DED8-4FBF-9642-317C0994337B}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{1E9EE0AE-988E-437D-99DF-C3CFDCC4755C}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{BBC98B71-E7FB-4858-90A2-8B90E88BD7E9}c:\\windows\\winsxs\\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16575_none_2d35117b1d0c34fb\\iexplore.exe"= UDP:c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16575_none_2d35117b1d0c34fb\iexplore.exe:Internet Explorer
"UDP Query User{3A0DA5E3-2303-4910-9D6E-CEA54328149A}c:\\windows\\winsxs\\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16575_none_2d35117b1d0c34fb\\iexplore.exe"= TCP:c:\windows\winsxs\x86_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_6.0.6000.16575_none_2d35117b1d0c34fb\iexplore.exe:Internet Explorer
"TCP Query User{2FBD6F7E-CCA9-499C-9566-61E10F173C11}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{451596A2-3CD6-4257-B4B6-DED3CB178D11}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{8A0BA861-CD3B-4E0B-B1B0-74B0F6217BEB}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{BFA569A9-AF73-4A2D-B74D-7BDB8E0BB034}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"TCP Query User{EA5D09F3-27AF-4D32-B456-F69CE0562EAD}c:\\program files\\tmnationsforever\\tmforever.exe"= UDP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"UDP Query User{FC067EE4-EA25-4989-9FF5-0CA9C4627054}c:\\program files\\tmnationsforever\\tmforever.exe"= TCP:c:\program files\tmnationsforever\tmforever.exe:TmForever
"{57C879AE-AAC4-4719-B768-5FA33C52ABB2}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{EACE0CF6-A7D0-44D1-8D93-1106817BB5C6}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{674536C2-C01A-49A8-88DE-C856E3D80245}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{9F99CC5C-3EB7-41CB-B991-D58E4F3DCA88}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{8E3DDC1A-9641-4D59-8E7C-3D3025AD4B09}"= UDP:c:\program files\Microsoft Games\Rise of Nations\thrones.exe:Rise of Nations
"{86E1F9BA-7860-4DC1-95F3-D1E19C362790}"= TCP:c:\program files\Microsoft Games\Rise of Nations\thrones.exe:Rise of Nations
"TCP Query User{5F15326B-85DE-4F1B-8F4A-71CC92AEDFF7}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{9F73359B-58C1-46A5-B752-1A8412B77E60}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{C6B42F4C-A4FA-4B30-8900-02B6ADCD0470}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{D675845C-80C4-4D5D-805C-0EFBF22E3516}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{C9A4168B-7940-4141-BC41-0EE328B2E421}"= UDP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{169C2FDA-905C-4ADC-87C8-B2F50D952543}"= TCP:c:\program files\Mozilla Firefox\firefox.exe:Mozilla Firefox
"{F2DB8D30-CD78-4ECF-94B2-54916E499FD6}"= UDP:c:\users\bhushan\AppData\Local\Google\Chrome\Application\chrome.exe:Google Chrome
"{311B59C2-2B53-4438-9A28-02DDE95986B9}"= TCP:c:\users\bhushan\AppData\Local\Google\Chrome\Application\chrome.exe:Google Chrome
"TCP Query User{9010CA7E-C733-4460-8C39-A760C835011E}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{ABB33560-EA60-4BF5-B137-D95F20467C23}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{FC7EAC8A-2195-40C4-93CD-1CEB43579438}c:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{FEB8A8E7-A288-4448-A77E-845B99DC39E9}c:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{DCF246F7-7221-4A79-88AB-6B7592766E7E}c:\\program files\\microsoft games\\rise of nations\\patriots.exe"= UDP:c:\program files\microsoft games\rise of nations\patriots.exe:Rise of Nations
"UDP Query User{9E958A75-71E4-4DB2-87E9-C8E034D0332F}c:\\program files\\microsoft games\\rise of nations\\patriots.exe"= TCP:c:\program files\microsoft games\rise of nations\patriots.exe:Rise of Nations
"TCP Query User{49472ED9-7F98-4875-8D53-B739EFE7A3A2}c:\\program files\\orbitdownloader\\orbitnet.exe"= UDP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{1DC8247A-B289-4B4F-94FA-C9406EAED54B}c:\\program files\\orbitdownloader\\orbitnet.exe"= TCP:c:\program files\orbitdownloader\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{CF495931-9A64-4F6B-8F4D-F7CDE2B38DC4}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{CACB06EE-9862-4872-B285-AA194E6E6315}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"{A3CA767F-5DB2-4184-B127-833C94F9EF97}"= UDP:c:\program files\Ubisoft\Demo\Tom Clancy's H.A.W.X\HAWX.exe:Tom Clancy's H.A.W.X
"{03BBB2A1-1FE9-446F-9602-CF70505ACAF2}"= TCP:c:\program files\Ubisoft\Demo\Tom Clancy's H.A.W.X\HAWX.exe:Tom Clancy's H.A.W.X
"{F293139A-7F70-4464-B132-9C337D183C2F}"= UDP:c:\program files\Ubisoft\Demo\Tom Clancy's H.A.W.X\HAWX_dx10.exe:Tom Clancy's H.A.W.X
"{7AD870F9-01F2-4CF2-825E-F3769221AA12}"= TCP:c:\program files\Ubisoft\Demo\Tom Clancy's H.A.W.X\HAWX_dx10.exe:Tom Clancy's H.A.W.X
"TCP Query User{04E4701B-B601-4483-AA46-E0E90CB72B66}c:\\program files\\ubisoft\\demo\\tom clancy's h.a.w.x\\hawx_dx10.exe"= UDP:c:\program files\ubisoft\demo\tom clancy's h.a.w.x\hawx_dx10.exe:HAWX_dx10
"UDP Query User{312559B0-CC48-462D-9B78-43FAE6BE42CD}c:\\program files\\ubisoft\\demo\\tom clancy's h.a.w.x\\hawx_dx10.exe"= TCP:c:\program files\ubisoft\demo\tom clancy's h.a.w.x\hawx_dx10.exe:HAWX_dx10
"{CED2827E-A7DB-4872-85B1-F72EE53B2F7F}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{8A5FD53E-F917-4B47-8659-6D943B3D51A4}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{6F735B1B-6841-4191-9935-0C13A949DEDA}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FarCry2.exe:Far Cry 2
"{A0D54154-51BD-4534-B23C-6DBA51D9B183}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{60F7D469-6A33-4848-9748-B75A0E623677}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Launcher.exe:Far Cry 2 Updater
"{CB6FD337-0E13-48B6-AC9B-2ED43DA978FF}"= UDP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor
"{DFD520CE-7A26-40C5-AA02-D538E2A8E9DE}"= TCP:c:\program files\Ubisoft\Far Cry 2\bin\FC2Editor.exe:Editor

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"= c:\program files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"= c:\program files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit

R2 gupdate1c985d1db8f2b1c;Google Update Service (gupdate1c985d1db8f2b1c);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 133104]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2009-02-06 55280]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2008-12-04 30192]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-10 64160]
S1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2008-05-26 141312]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632]
S2 NCFSD;Novell Client File System Redirector;c:\program files\Novell\Client\XTier\Drivers\ncfsd.sys [2008-07-10 80400]
S2 NCIOCTL;Novell Xplat IoCtl Driver;c:\program files\Novell\Client\XTier\Drivers\ncioctl.sys [2008-07-10 41488]
S2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-04-01 603904]
S2 XTSvcMgr;Novell XTier Service Manager;c:\program files\Novell\Client\XTier\Services\XTSvcMgr.exe [2008-07-10 16656]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-05-11 179712]


--- Other Services/Drivers In Memory ---

*Deregistered* - nciom
*Deregistered* - ncp
*Deregistered* - ncpl
*Deregistered* - ndm
*Deregistered* - ndmndap
*Deregistered* - ndslpp
*Deregistered* - niam
*Deregistered* - nipctl
*Deregistered* - nscm
*Deregistered* - nsns
*Deregistered* - nsvccost
*Deregistered* - sptd
*Deregistered* - xtxplat

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{132e2a33-0fc0-11dd-a6e5-001c23ff323a}]
\shell\AutoRun\command - Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8128f25c-1da9-11de-a576-001c23ff323a}]
\shell\AutoRun\command - K:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8128f26b-1da9-11de-a576-001c23ff323a}]
\shell\AutoRun\command - M:\MTInstall.exe
\shell\directx\command - m:\redist\directx8a\dxsetup.exe
\shell\Gamespy\command - m:\redist\GameSpy\ArcadeInstallMTYCOON108c.exe
\shell\setup\command - M:\MTInstall.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da594275-afed-11dc-ac95-001aa0fd32fd}]
\shell\AutoRun\command - explorer .

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-04-13 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 21:36]

2009-04-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 00:36]

2009-04-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-25 14:06]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-03 13:04]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1235237280-593717586-759252712-1000.job
- c:\users\bhushan\AppData\Local\Google\Update\GoogleUpdate.exe [2008-12-26 14:32]

2009-04-13 c:\windows\Tasks\User_Feed_Synchronization-{979E7104-2549-435C-836C-75802676E187}.job
- c:\windows\system32\msfeedssync.exe [2009-01-15 15:31]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8C550565-107B-4FEE-B2CC-9B6B12CE53F6} - (no file)
WebBrowser-{47D66F71-DAC2-439C-836D-18C055AF389C} - (no file)
WebBrowser-{F6387320-2466-42C3-9E7C-6A7BD7BD1F61} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: Download &Flash Movies - c:\program files\Flash2X\Flash Hunter\save.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: **{5699BDDB-A771-4E54-ACBB-BE86921D7892} - {5699BDDB-A771-4E54-ACBB-BE86921D7892} -
Trusted Zone: 2adultflashgames.com
Trusted Zone: 56.com
Trusted Zone: forumflicks.com
Trusted Zone: funny-games.biz
Trusted Zone: mysexgames.com
Trusted Zone: usagreetings.com\www
Trusted Zone: voyeurweb.com
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 22:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(7236)
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\system32\NETWIN32.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\WLTRYSVC.EXE
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\logishrd\LVCOMSER\LVComSer.exe
c:\program files\Raxco\PerfectDisk10\PDAgent.exe
c:\windows\System32\BCMWLTRY.EXE
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\System32\stacsv.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\windows\System32\drivers\XAudio.exe
c:\windows\System32\wbem\unsecapp.exe
c:\program files\Raxco\PerfectDisk10\PDAgentS1.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\rundll32.exe
c:\program files\DataStudio\PASPortal.exe
c:\program files\Dell\QuickSet\quickset.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\hidfind.exe
c:\program files\DellTPad\ApntEx.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\Common Files\logishrd\LVMVFM\LVPrcSrv.exe
.
**************************************************************************
.
Completion time: 2009-04-13 22:53 - machine was rebooted [bhushan]
ComboFix-quarantined-files.txt 2009-04-13 17:22
ComboFix2.txt 2009-04-13 16:11

Pre-Run: 47,389,478,912 bytes free
Post-Run: 47,166,562,304 bytes free

465 --- E O F --- 2009-03-31 09:23

[chemist]

Hello, wind_chariot. Please post the MBAM log in your next reply.

Please go to: VirusTotal

• On the page you'll find a Browse button.
  
• Next to the Browse button you'll see a box to enter text.
• Please copy/paste the following bolded text into the box:
  
  c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys
  
  
• Then click the Send File button just below.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
• Once scanned, copy and paste the results in your next reply.

------------------------------------------------------

[wind_chariot]

Hello chemist. I am posting the logs. First, I am posting Malwarebytes' log and and then I will post VirusTotal result log.

------------------------------------------------------------------------------------

This is the log from Malwarebytes'.


Malwarebytes' Anti-Malware 1.36
Database version: 1954
Windows 6.0.6001 Service Pack 1

4/13/2009 4:54:36 PM
mbam-log-2009-04-13 (16-54-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 263868
Time elapsed: 58 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 21
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4 b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApprove d\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b1 8eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6 faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameS erver (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{2f43782c-203e-43c3-8d2a-c0295990d6fd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Inter faces\{baeb3bd3-2ea9-483b-acb2-7cbdf3988084}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServe r (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{2f43782c-203e-43c3-8d2a-c0295990d6fd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interface s\{baeb3bd3-2ea9-483b-acb2-7cbdf3988084}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServe r (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{2f43782c-203e-43c3-8d2a-c0295990d6fd}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interface s\{baeb3bd3-2ea9-483b-acb2-7cbdf3988084}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.96,85.255.112.11 -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> No action taken.
C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> No action taken.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090413-004343-778.dll (Adware.AskSBAR) -> No action taken.
C:\Windows\System32\gaopdxcounter (Trojan.Agent) -> No action taken.


-----------------------------------------------------------------------------------


This is the result from VirusTotal


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.04.14 Trojan.Win32.Tdss.vjd!A2
AhnLab-V3 5.0.0.2 2009.04.14 -
AntiVir 7.9.0.138 2009.04.13 -
Antiy-AVL 2.0.3.1 2009.04.13 Trojan/Win32.Tdss
Authentium 5.1.2.4 2009.04.14 -
Avast 4.8.1335.0 2009.04.13 Win32:Alureon-G
AVG 8.5.0.285 2009.04.13 Generic13.PQP
BitDefender 7.2 2009.04.14 -
CAT-QuickHeal 10.00 2009.04.14 -
ClamAV 0.94.1 2009.04.14 -
Comodo 1112 2009.04.13 -
DrWeb 4.44.0.09170 2009.04.14 BackDoor.Tdss.115
eSafe 7.0.17.0 2009.04.13 Suspicious File
eTrust-Vet 31.6.6454 2009.04.13 -
F-Prot 4.4.4.56 2009.04.13 -
F-Secure 8.0.14470.0 2009.04.14 -
Fortinet 3.117.0.0 2009.04.13 -
GData 19 2009.04.14 Win32:Alureon-G
Ikarus T3.1.1.49.0 2009.04.14 -
K7AntiVirus 7.10.700 2009.04.11 -
Kaspersky 7.0.0.125 2009.04.14 -
McAfee 5583 2009.04.13 -
McAfee+Artemis 5583 2009.04.13 -
McAfee-GW-Edition 6.7.6 2009.04.13 Trojan.LooksLike.Vundo
Microsoft 1.4502 2009.04.13 Trojan:WinNT/Alureon.C
NOD32 4005 2009.04.14 Win32/Agent.PCJ
Norman 6.00.06 2009.04.13 W32/DNSChanger.ECUY
nProtect 2009.1.8.0 2009.04.13 Trojan/W32.TDSS.83968
Panda 10.0.0.14 2009.04.13 -
PCTools 4.4.2.0 2009.04.14 -
Prevx1 V2 2009.04.14 High Risk Cloaked Malware
Rising 21.25.10.00 2009.04.14 -
Sophos 4.40.0 2009.04.14 Mal/TDSSPack-G
Sunbelt 3.2.1858.2 2009.04.13 -
Symantec 1.4.4.12 2009.04.14 -
TheHacker 6.3.4.0.306 2009.04.12 Trojan/Tdss.vkk
TrendMicro 8.700.0.1004 2009.04.14 -
VBA32 3.12.10.2 2009.04.12 Trojan.Win32.Tdss.vna
ViRobot 2009.4.14.1691 2009.04.14 -
VirusBuster 4.6.5.0 2009.04.13 Rootkit.Alureon.Gen!Pac.2
Additional information
File size: 83968 bytes
MD5...: 9dadf7f392ed984ae9122ba4e654b4dd
SHA1..: 7f338a59cff7fcef2aab693f925d858ab0dde850
SHA256: f0134c19c8240f15c4a0dccce359c7ccf96ac02f79dfd70519ca0fb4d7053f91
SHA512: 0562382afcd21a1fb75c5dccb7f46902adae098635cf5e74408323d69bcae2b9
69dec5fc745d140e0fbc330dbbe78dae04e9c3adcac7a592c59e6a5c4ee3d985
ssdeep: 1536:mMqh4F71ytoHtq+I3FM+KHN7pO+eyfYM0MLE9VHXOk1QEU4m:goHtG3uH1g
j6XAL3j1Q51
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (68.0%)
Generic Win/DOS Executable (15.9%)
DOS Executable Generic (15.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1653
timedatestamp.....: 0x49c7349f (Mon Mar 23 07:05:03 2009)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd8c 0xe00 6.23 bac47bd86f71c2b9f013f0a37c7afb30
.rdata 0x2000 0x630 0x800 4.47 c480e544b553f2514c19d0b77a3d755c
.data 0x3000 0x12626 0x12800 7.99 c77b6196d7f5ed37aa5100b81d052358
.rsrc 0x16000 0x2e0 0x400 2.53 1ddfc87d9e75887385a9c70bd27de450
.reloc 0x17000 0xe 0x200 1.40 e4d840f42aa6e9781eae1b6efd2ec716

( 2 imports )
> ntoskrnl.exe: IoSetDeviceInterfaceState, RtlImageNtHeader, RtlFindNextForwardRunClear, Ke386QueryIoAccessMap, LsaFreeReturnBuffer, RtlSetAllBits, IoWriteErrorLogEntry, ExSemaphoreObjectType, FsRtlReleaseFile, ExInterlockedExtendZone, RtlSubAuthorityCountSid, ExAcquireSharedStarveExclusive, ExAllocatePoolWithTag, RtlValidSecurityDescriptor, IofCallDriver, LsaRegisterLogonProcess, KeDelayExecutionThread, CcUnpinRepinnedBcb, IoRegisterDriverReinitialization, InbvNotifyDisplayOwnershipLost, Ke386IoSetAccessProcess, PsSetLegoNotifyRoutine, IoReuseIrp, RtlAppendUnicodeToString, FsRtlNormalizeNtstatus
> hal.dll: HalGetBusData, HalGetInterruptVector, HalSetBusData, IoFreeMapRegisters, HalAllocateAdapterChannel, ExReleaseFastMutex, KeReleaseQueuedSpinLock, HalFlushCommonBuffer, HalClearSoftwareInterrupt, KfLowerIrql, KeAcquireQueuedSpinLock, HalFreeCommonBuffer, HalQueryDisplayParameters, HalAllocateCrashDumpRegisters, HalBeginSystemInterrupt, WRITE_PORT_ULONG, HalGetBusDataByOffset, KeLowerIrql, WRITE_PORT_USHORT, KeRaiseIrqlToSynchLevel, IoFreeAdapterChannel, KeAcquireSpinLock, HalCalibratePerformanceCounter, KeFlushWriteBuffer, HalRequestIpi, HalRequestSoftwareInterrupt, HalSetProfileInterval

( 0 exports )
RDS...: NSRL Reference Data Set
-
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=BDAC616F001756BC48B20137AD9063001DB37C68' target='_blank'>http://info.prevx.com/aboutprogramte...9063001DB37C68</a>

[chemist]

Hello again, wind_chariot.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have SpywareTerminator installed on your system. This application was previously listed as a rogue program because of concerns with adware. Please read here

Although no longer listed as such, we recommend uninstalling it and downloading antispyware programs that have proven themselves tried and true. See here for a list of trustworthy antispyware products.

------------------------------------------------------

I see you have P2P software ( uTorrent and FrostWire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Programs and Features.

------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the codebox below into Notepad:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/365633-search-engine-redirecting-adware-websites-cannot-run-new-antimalware-programs.html#post2078978

Collect::
c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys

DDS::
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
Trusted Zone: 2adultflashgames.com
Trusted Zone: 56.com
Trusted Zone: forumflicks.com
Trusted Zone: funny-games.biz
Trusted Zone: mysexgames.com
Trusted Zone: usagreetings.com\www
Trusted Zone: voyeurweb.com

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEraseTraces]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da594275-afed-11dc-ac95-001aa0fd32fd}]

File::
c:\windows\system32\gaopdxcounter

Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

------------------------------------------------------

[wind_chariot]

Hello Chemist,

There is something wrong. I followed the instructions properly. I disabled Windows defender, Ad-aware, and McAfee OAS from startup as well as from running.

I dragged CFScript.txt on ComboFix and it started working. Soon after that, it said rootkits activity are found and it is deleting some files. it rebooted after that. After restart, it started working as usual. It showed a message once 'System could not find file whitedir01'. But, after completing all the steps, (around 56 steps i guess...) it said it is rebooting my computer. In that rebooting, after I enter my password to log in to my computer, after few moments my computer suddenly showed me a blue screen and told me something about some actions in that DOS like white fonts and it said computer is shutting down to prevent further losses. It was a big page and it stayed only for 3-4 seconds so I couldn't get what it was saying exactly. But, after that when it restarted, there was no ComboFix running, no log file or that message box on display and no internet connection. I tried to find the file you told me to find. I couldn't find the file of the name you told. So, I thought there was something wrong and ComboFix had not worked in the way it should as there was no log file created and such. So i reset my computer to earlier settings using system restore.



I remember something. In second reboot, though i had disabled my McAfee OAS real time scanner from startup by going into msconfig and from running by going into 'Services', it started again. ComboFix told me to stop it and press OK to continue its operation. I closed it again and then ComboFix continued its work.



What should I do now? Is it because of the rootkits it found earlier? Or because of that whitedir01? or any other reason?

[chemist]

Hello again, wind_chariot. Not sure what is going on. Deleting those files shouldn't make you lose your connection.

Download The Avenger by Swandog46 from here

• Unzip/extract it to a folder on your desktop.
• Right-click on avenger.exe & choose Run as Administrator to run The Avenger
• Click OK
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy/paste the following text in the codebox below into the 'Input script here:' box.
  
  
  Code:

  Drivers to delete:
  gaopdxserv.sys
  Packet
  
  Registry keys to delete:
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEraseTraces
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
  HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM
  
  Files to delete:
  c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys
  c:\windows\system32\gaopdxcounter
  c:\windows\system32\drivers\gaopdxxbyrupumrpvnywbwonteqokctxiqijdf.sys
  c:\windows\system32\gaopdxuxbxmcquiimpfmarfibxwcrpeqjxgufq.dll
  c:\windows\system32\MabryObj.dll

• Click Execute
• Click Yes
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?
• Click Yes
• Your PC will now be rebooted.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log in your next reply.

------------------------------------------------------

Right-click HijackThis and select Run as Administrator.

Click on 'Do a System Scan and Save a Logfile'. Save the logfile and post it here.

------------------------------------------------------

[wind_chariot]

well, i forgot to mention last time. I forgot to reboot my computer that time when i had lost my connection. It may be the reason behind connection loss. At that time, I was very much worried about that blue screen I got which certainly looked scary and about ComboFix as it was terminated unexpectedly without giving me log file or that message window. I have read that ComboFix is a powerful tool so I was worried as it terminated unexpectedly and without rebooting my computer, I went for system restore to undo any damage.

[wind_chariot]

Hello chemist,

I tried to run Avenger. After pressing Execute and Yes, It gave me this error. After that, I quiet the program as I thought it is better if I ask you first about this error message (Image attached). Is it safe running Avenger despite this error message?

[chemist]

Quote:

I forgot to reboot my computer that time when i had lost my connection.

I would have restarted first to see if the connection came back.

There was an error in my script for Avenger. I edited it. It should run now.

[chemist]

I edited the script again. It should run now.

[wind_chariot]

Hello chemist.

I have similar error like last time, after clicking 'Execute'. I am posting image of the error.

[chemist]

I edited the script again. It should run now.

[wind_chariot]

Hello chemist,

After Avenger rebooted my computer, I got an error message saying 'Windows startup error' which said there is some problem in startup due to new hardware or new software and it told me to go into repair wizard. I went into it. It told me to go to restore point. I denied and then it said it couldn't find the solution of the problem. Then it opened my computer as usual and I got this Avenger logfile. I am posting it. And after that, I am posting HijackThis logfile.

---------------------------------------------------------------------

This is Avenger logfile.


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Wed Apr 15 13:16:24 2009

13:16:20: Error: Invalid registry syntax in command:
"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
13:16:24: Error: Execution aborted by user!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows NT 6.0 (build 6001, Service Pack 1)
Wed Apr 15 22:12:42 2009

22:12:38: Error: Invalid registry syntax in command:
"HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da594275-afed-11dc-ac95-001aa0fd32fd}"
Only registry keys under the HKEY_LOCAL_MACHINE hive are accessible to this program.
Skipping line. (Registry key deletion mode)
22:12:42: Error: Execution aborted by user!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxxbyrupumrpvnywbwonteqokctxiqijdf.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "gaopdxserv.sys" deleted successfully.
Driver "Packet" deleted successfully.
File "c:\windows\system32\drivers\bidpxtjwvtnqrwya.sys" deleted successfully.
File "c:\windows\system32\gaopdxcounter" deleted successfully.
File "c:\windows\system32\drivers\gaopdxxbyrupumrpvnywbwonteqokctxiqijdf.sys" deleted successfully.
File "c:\windows\system32\gaopdxuxbxmcquiimpfmarfibxwcrpeqjxgufq.dll" deleted successfully.
File "c:\windows\system32\MabryObj.dll" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IEraseTraces" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------------------------------------------------------------

And this is HijackThis logfile



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:14, on 2009-04-16
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\McAfee\VirusScan Enterprise\shstat.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\System32\nwtray.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Users\bhushan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DataStudio\PASPortal.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Users\bhushan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: PASPortal.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download &Flash Movies - C:\Program Files\Flash2X\Flash Hunter\save.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Flash - {5699BDDB-A771-4E54-ACBB-BE86921D7892} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Flash2X Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: &Launch Flash Hunter - {77B563A5-2A35-4E6B-BFC8-F4B6BB65D5DF} - C:\Program Files\Flash2X\Flash Hunter\save.htm (file missing) (HKCU)
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.2adultflashgames.com
O15 - Trusted Zone: http://*.56.com
O15 - Trusted Zone: http://*.forumflicks.com
O15 - Trusted Zone: http://*.funny-games.biz
O15 - Trusted Zone: http://*.mysexgames.com
O15 - Trusted Zone: http://*.voyeurweb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEB3BD3-2EA9-483B-ACB2-7CBDF3988084}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c985d1db8f2b1c) (gupdate1c985d1db8f2b1c) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O23 - Service: Novell XTier Service Manager (XTSvcMgr) - Novell, Inc. - C:\Program Files\Novell\Client\XTier\Services\XTSvcMgr.exe

--
End of file - 15081 bytes

[chemist]

Hello again, wind_chariot.

Right-click HijackThis and select Run as Administrator.

Click on 'Do a System Scan Only'. Check the following entries if they still exist: (Make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O15 - Trusted Zone: http://*.2adultflashgames.com
O15 - Trusted Zone: http://*.56.com
O15 - Trusted Zone: http://*.forumflicks.com
O15 - Trusted Zone: http://*.funny-games.biz
O15 - Trusted Zone: http://*.mysexgames.com
O15 - Trusted Zone: http://*.voyeurweb.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\..\{BAEB3BD3-2EA9-483B-ACB2-7CBDF3988084}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CS2\Services\Tcpip\..\{2F43782C-203E-43C3-8D2A-C0295990D6FD}: NameServer = 85.255.112.96,85.255.112.11
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.96,85.255.112.11

Please remember to close all other windows, including browsers then click Fix checked.

Please close HijackThis now.

------------------------------------------------------

Restart your computer.

Please run dds again and post the DDS.txt in your next reply.

How is your machine behaving?

------------------------------------------------------

[wind_chariot]

Hello chemist,

Before asking for help here, I ran HijackThis and posted the log on (http://www.hijackthis.de/). They advised me to fix all O17 entries. When I fixed those entries, I lost my connection and I was not able to get it back. I had to use system restore. I thought I should inform you that I had performed the step you advised me before and I had bad result after that.

[chemist]

Did you try rebooting your computer before doing the system restore to see if your connection came back?