What do you do when you cannot get rid of viruses?

Status
Not open for further replies.
I wanted to ask you also, I have 60gb of pictures and want to make my computer faster, people say it will not if I put them on an external, what do you think? I have 152gb used and 142gb free. I believe I have 2gb of ram and a 320gb hard drive. I cannot see my system properties because it just gives me an hour glass for a second and will not open.


Also, I did not restart yet I installed AVG and the second I did I got this.
http://yfrog.com/6691250709j



Something is definitely up, after posting those two logs, my computer is running like a snail, particularly the internet. I noticed it is sometimes stopping my connection, can a virus do that?
 
Well, it found 4 yet again. And Avg keeps popping up these fake virus alert things. I tried to heal them but it said the action was not supported. Those viruses came back. Here are the logs

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:32:56 PM, on 2/10/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = Dell Start Page
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = MySpace
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS4/contributeieplugin.dll
O4 - HKLM\..\Run: [Adobe_Reader] c:\program files\internet explorer\wmpscfgs.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198897468875
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Remote Connections Service (FlexService) - Unknown owner - C:\Program Files\RapidBIT\cisvc.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LeapFrog Connect Device Service - LeapFrog Enterprises, Inc. - C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
O24 - Desktop Component 0: (no name) - http://jade-creations.com/AprilChambeau1-Madison1.jpg

--
End of file - 7106 bytes
 
Malwarebytes' Anti-Malware 1.44
Database version: 3722
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18372

2/10/2010 7:31:16 PM
mbam-log-2010-02-10 (19-31-11).txt

Scan type: Quick Scan
Objects scanned: 151553
Time elapsed: 10 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\April\Local Settings\temp\wmpscfgs.exe (Trojan.Downloader) -> No action taken.
 
After malwarebytes ran, did it prompt you to reboot to remove the infections? If so then you need to do that.

Can you follow the path on the screenshot and delete that file?

This time, boot into safemode and run combofix and then malwarebytes, post their logs when done.

Make sure under msconfig>startup there arent any entries checked that shouldnt be. Typically you can uncheck everything except your antivirus.
 
ComboFix 10-02-10.04 - April 02/10/2010 20:51:22.9.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1725 [GMT -5:00]
Running from: c:\documents and settings\April\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: PC-cillin Internet Security - Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\js.mui
c:\program files\Internet Explorer\wmpscfgs.exe
c:\windows\system32\ctfmon .exe

.
((((((((((((((((((((((((( Files Created from 2010-01-11 to 2010-02-11 )))))))))))))))))))))))))))))))
.

2010-02-11 00:09 . 2010-02-11 00:03 3777280 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\setup.exe
2010-02-11 00:09 . 2010-02-11 00:03 1260800 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2010-02-11 00:03 . 2010-02-11 00:03 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-11 00:03 . 2010-02-11 00:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-11 00:03 . 2010-02-11 00:03 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-11 00:03 . 2010-02-11 00:03 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-11 00:03 . 2010-02-11 00:03 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-10 18:53 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2010-02-10 17:26 . 2009-11-21 15:51 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
2010-02-10 15:56 . 2010-02-10 16:05 -------- d-----w- c:\program files\Exterminate It!
2010-02-10 06:37 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-10 06:37 . 2010-02-10 06:37 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-10 06:37 . 2010-02-10 06:37 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-10 06:37 . 2010-02-10 06:37 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-10 06:37 . 2010-02-10 06:37 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-10 06:37 . 2010-02-10 06:37 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-10 06:37 . 2010-02-10 06:37 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-10 06:37 . 2010-02-10 06:37 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-10 06:36 . 2010-02-10 06:36 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-10 06:36 . 2010-02-10 06:36 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-10 06:36 . 2010-02-10 06:36 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-10 06:36 . 2010-02-10 06:36 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-10 06:36 . 2010-02-10 06:36 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-10 06:36 . 2010-02-10 06:36 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-10 06:36 . 2010-02-10 06:36 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-10 06:36 . 2010-02-10 06:36 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-10 06:36 . 2010-02-10 06:36 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-10 06:36 . 2010-02-10 06:36 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-10 06:34 . 2010-02-10 06:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-10 06:28 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-02-10 06:25 . 2010-02-10 06:28 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-10 01:49 . 2010-02-10 01:49 0 ----a-w- c:\windows\Rlosecaba.bin
2010-02-10 01:49 . 2010-02-10 01:49 120 ----a-w- c:\windows\Ctotabuyutomobu.dat
2010-02-10 01:49 . 2010-02-10 01:49 -------- d-----w- c:\documents and settings\April\Local Settings\Application Data\{07E88A6D-9142-42B0-80A9-6062F188F3FB}
2010-02-10 00:37 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 00:37 . 2010-02-10 17:00 -------- d-----w- c:\program files\SCANNER
2010-02-10 00:37 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-09 21:28 . 2010-02-09 22:02 -------- d-----w- C:\$AVG
2010-02-09 21:06 . 2010-02-11 00:03 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-02-09 20:56 . 2010-02-09 20:59 1048 ----a-w- c:\documents and settings\All Users\Application Data\fiosejgfse.dll
2010-02-06 22:16 . 2008-05-06 06:01 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-06 22:16 . 2008-05-06 06:01 16512 ----a-w- c:\windows\system32\drivers\aspi32.sys
2010-02-06 22:15 . 2010-02-08 04:39 -------- d-----w- c:\program files\RapidBIT
2010-02-06 22:07 . 2010-02-06 22:16 -------- d-----w- c:\program files\ImTOO
2010-02-06 22:04 . 2010-02-06 22:04 -------- d-----w- c:\documents and settings\April\Local Settings\Application Data\HandBrake
2010-02-06 22:04 . 2010-02-06 22:04 -------- d-----w- c:\documents and settings\April\Application Data\HandBrake
2010-02-06 22:04 . 2010-02-07 23:45 -------- d-----w- c:\program files\Handbrake
2010-02-04 04:49 . 2010-02-07 23:48 -------- d-----w- c:\program files\Xobni
2010-02-04 04:48 . 2010-02-04 04:48 -------- d-----w- c:\program files\The Weather Channel FW
2010-02-04 04:48 . 2010-02-04 04:48 -------- d-----w- c:\documents and settings\April\Local Settings\Application Data\The Weather Channel
2010-01-19 01:31 . 2010-01-19 01:31 -------- d-----w- c:\documents and settings\April\Local Settings\Application Data\Flickr
2010-01-19 01:31 . 2010-01-19 01:31 -------- d-----w- c:\documents and settings\April\Application Data\Flickr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 21:40 . 2008-08-05 01:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-02-10 21:14 . 2009-01-15 01:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-02-10 21:04 . 2007-11-26 17:36 -------- d-----w- c:\program files\Microsoft Works
2010-02-10 06:48 . 2007-12-29 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-10 06:28 . 2007-12-27 17:56 -------- d-----w- c:\program files\Lavasoft
2010-02-10 06:28 . 2007-12-27 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-10 05:58 . 2009-10-21 19:38 -------- d-----w- c:\program files\Imagenomic
2010-02-10 01:47 . 2004-08-10 17:51 55808 ----a-w- c:\windows\system32\rundll32.exe
2010-02-10 01:30 . 2010-02-09 20:08 8 ----a-w- c:\documents and settings\All Users\Application Data\mswintmp.dat
2010-02-10 01:29 . 2009-12-20 04:37 -------- d-----w- c:\program files\PeerBlock
2010-02-10 01:17 . 2008-12-06 21:43 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-10 00:04 . 2009-12-08 01:44 -------- d-----w- c:\documents and settings\April\Application Data\uTorrent
2010-02-09 21:24 . 2008-12-07 01:00 -------- d-----w- c:\program files\AVG
2010-02-07 00:17 . 2008-05-10 20:19 -------- d-----w- c:\program files\AVS4YOU
2010-02-07 00:17 . 2008-05-10 20:19 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-02-06 22:17 . 2009-06-26 19:57 -------- d-----w- c:\documents and settings\April\Application Data\ImTOO Software Studio
2010-02-04 18:55 . 2008-05-10 20:20 -------- d-----w- c:\documents and settings\April\Application Data\AVS4YOU
2010-02-04 18:55 . 2007-12-25 19:30 89672 ----a-w- c:\documents and settings\April\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-30 06:24 . 2009-11-10 01:26 -------- d-----w- c:\program files\VS Revo Group
2010-01-30 06:23 . 2007-12-27 20:16 -------- d-----w- c:\program files\FrostWire
2010-01-14 21:49 . 2007-12-31 17:07 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-05 01:00 . 2009-07-04 02:49 256 ----a-w- c:\windows\system32\pool.bin
2009-12-31 16:50 . 2004-08-10 17:51 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-28 16:33 . 2007-11-26 17:20 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-28 16:33 . 2009-12-28 16:33 -------- d-----w- c:\program files\Sonic
2009-12-28 16:21 . 2009-12-28 16:21 10134 ----a-r- c:\documents and settings\April\Application Data\Microsoft\Installer\{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}\ARPPRODUCTICON.exe
2009-12-28 16:20 . 2009-12-28 16:20 -------- d-----w- c:\program files\Sony
2009-12-28 16:19 . 2009-12-28 16:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony Corporation
2009-12-25 16:35 . 2009-10-31 00:33 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 16:33 . 2009-12-25 16:33 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe
2009-12-25 16:33 . 2009-10-31 00:32 6969680 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagJuniorPlugin.exe
2009-12-25 16:33 . 2009-12-25 16:33 3106632 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\MyPalsPlugin.exe
2009-12-24 02:10 . 2009-08-25 16:38 -------- d-----w- c:\program files\JL_Cmder
2009-12-17 19:29 . 2009-07-03 22:21 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-16 18:43 . 2004-08-10 18:01 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-15 01:20 . 2009-12-15 01:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-12-15 01:18 . 2007-12-25 19:30 -------- d-----w- c:\documents and settings\April\Application Data\InstallShield
2009-12-14 07:08 . 2004-08-10 17:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:26 . 2004-08-10 17:51 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2004-08-04 03:59 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 02:49 . 2009-12-08 02:49 42501 ----a-w- c:\windows\system32\unins000.dat
2009-12-08 02:49 . 2009-12-08 02:49 691717 ----a-w- c:\windows\system32\unins000.exe
2009-12-04 18:22 . 2004-08-10 17:51 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2004-08-10 17:51 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2004-08-04 05:56 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2001-08-18 03:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2004-08-10 17:51 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2004-08-10 17:50 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07 . 2004-08-04 05:56 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 15:51 . 2004-08-10 17:50 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2008-01-11 22:45 . 2008-01-09 07:32 88 --sh--r- c:\windows\system32\5EE5F9063E.sys
2008-01-11 22:48 . 2008-01-09 07:29 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-12-19 22:08 . 2008-11-02 06:22 953 --sha-w- c:\windows\system32\mmf.sys
.
Code: 
<pre>
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\SCANNER\scan me  .exe
c:\program files\Spybot - Search & Destroy\teatimer .exe
c:\program files\The Weather Channel FW\Desktop\desktopweather .exe
c:\windows\pchealth\helpctr\binaries\msconfig .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe_Reader"="c:\program files\internet explorer\wmpscfgs.exe" [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="c:\windows\system32\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-11 00:03 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Spb Backup Sync.lnk]
backup=c:\windows\pss\Spb Backup Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^April^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^April^Start Menu^Programs^Startup^PMB Media Check Tool.lnk]
path=c:\documents and settings\April\Start Menu\Programs\Startup\PMB Media Check Tool.lnk
backup=c:\windows\pss\PMB Media Check Tool.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^April^Start Menu^Programs^Startup^Sprint media monitor.lnk]
backup=c:\windows\pss\Sprint media monitor.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^April^Start Menu^Programs^Startup^wkcalrem.LNK]
backup=c:\windows\pss\wkcalrem.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\%PROVIDERID%]
bin\sprtcmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-12-21 23:35 640440 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-12-22 06:26 38840 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 20:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 02:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-03-11 17:54 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2009-01-21 05:15 2356088 ----a-w- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0ENQBO]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_Reader]
2010-02-11 02:00 55808 ----a-w- c:\program files\Internet Explorer\wmpscfgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
2006-09-25 14:12 90112 ----a-w- c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
 
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY]
c:\progra~1\AVG\AVG8\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-02-11 01:46 55808 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-11-20 03:29 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2007-09-14 01:50 1603152 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2007-10-26 01:10 652624 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ComcastAntispyClient]
c:\program files\comcasttb\ComcastSpywareScan\ComcastAntispy.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ddexpshare.exe]
c:\docume~1\April\LOCALS~1\Temp\ddexpshare.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter]
c:\program files\Dell Support Center\bin\sprtcmd.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
c:\program files\DropBox\DropBox\DropBox.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
c:\program files\Dell Support Center\gs_agent\custom\dsca.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ECenter]
2007-05-24 12:03 17920 ----a-w- c:\dell\E-Center\EULALauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GoTrusted]
c:\program files\GoTrusted.com\GoTrusted Secure Tunnel\GoTrusted Secure Tunnel.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2006-09-11 08:40 86960 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-03-13 00:56 342312 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Monitor]
2009-11-10 15:14 443728 ----a-w- c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
c:\program files\Windows Live\Messenger\msnmsgr.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Paladin Antivirus]
c:\program files\Paladin Antivirus\pav.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 14:00 1116920 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 21:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-11-16 03:54 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-03-17 01:38 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2009-12-08 01:44 289584 ----a-w- c:\program files\uTorrent\uTorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinUtilities Quick Launcher]
c:\program files\WinUtilities\WO.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=2 (0x2)
"Viewpoint Manager Service"=2 (0x2)
"SQLWriter"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"Lavasoft Ad-Aware Service"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ACDaemon"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2/10/2010 1:37 AM 64288]
R0 sonyhcb;Sony Digital Imaging Base;c:\windows\system32\drivers\sonyhcb.sys [12/28/2007 4:36 PM 6097]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2/10/2010 7:03 PM 360584]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2/10/2010 7:03 PM 333192]
S2 FlexService;Remote Connections Service;"c:\program files\RapidBIT\cisvc.exe" --> c:\program files\RapidBIT\cisvc.exe [?]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [11/2/2008 1:22 AM 2560]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 4:46 AM 288112]
S3 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/10/2010 7:03 PM 285392]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\flyusb.sys [10/30/2009 7:28 PM 18560]
S3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\DRIVERS\gttap1.sys --> c:\windows\system32\DRIVERS\gttap1.sys [?]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [12/19/2009 11:37 PM 14424]
S3 sonyhcs;Sony Digital Imaging Video;c:\windows\system32\drivers\sonyhcs.sys [12/28/2007 4:36 PM 299923]
S3 tap0801;Smarthide TAP driver;c:\windows\system32\drivers\tap0801.sys [10/12/2007 8:07 AM 55808]
S3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys --> c:\windows\system32\DRIVERS\TM_CFW.sys [?]
S4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 8:19 AM 1181328]
S4 TmPfw;Trend Micro Personal Firewall; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/13/2009 2:37 PM 24652]
.
Contents of the 'Scheduled Tasks' folder

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:36]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:36]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:36]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:36]

2010-02-11 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 06:36]

2010-02-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-02-11 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = hxxp://myspace.com/
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Locate Spot on Map by GPS - c:\program files\Opanda\IExif 2.3\IExifMap.htm
IE: View Exif/GPS/IPTC with IExif - c:\program files\Opanda\IExif 2.3\IExifCom.htm
FF - ProfilePath - c:\documents and settings\April\Application Data\Mozilla\Firefox\Profiles\4v3ntub2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch
FF - prefs.js: browser.search.selectedEngine - Search the web (Babylon)
FF - prefs.js: browser.startup.homepage - ebay.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: XULRunner: {07E88A6D-9142-42B0-80A9-6062F188F3FB} - c:\documents and settings\April\Local Settings\Application Data\{07E88A6D-9142-42B0-80A9-6062F188F3FB}\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-02-10 20:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-609751233-897265773-14882807-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E84D6D67-2C2F-766B-43A8-C966CAA1314F}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"eadjgdfcbn"=hex:66,61,6e,6b,62,6b,65,6c,64,66,66,68,00,31
"daajjeof"=hex:64,62,70,6b,6b,6f,66,6f,62,6a,64,6a,6f,69,6c,6e,64,6c,69,67,63,
62,62,6f,61,64,61,62,62,62,62,6a,6a,69,6c,69,6e,6b,70,6f,00,00
"iallemcdijlfngnbco"=hex:6a,61,69,6f,65,6e,6d,68,63,6b,6f,67,6c,69,61,68,62,6a,
62,64,00,00
"haflkncodecimlom"=hex:6a,61,69,6f,65,6e,6d,68,63,6b,6f,67,6c,69,61,68,62,6a,
62,64,00,00

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:24,74,64,6d,56,f4,91,89,c0,54,8f,16,10,c1,c8,76,b5,85,0b,26,be,
5e,11,6a,ab,d5,3c,de,96,82,68,8a,f5,17,3c,05,0e,80,6e,06,3c,60,40,71,d7,14,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:24,74,64,6d,56,f4,91,89,c0,54,8f,16,10,c1,c8,76,b5,85,0b,26,be,
5e,11,6a,ab,d5,3c,de,96,82,68,8a,f5,17,3c,05,0e,80,6e,06,3c,60,40,71,d7,14,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(416)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\WINSPOOL.DRV
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\scg726.acm
c:\windows\system32\alf2cd.acm
c:\windows\system32\AC3ACM.acm
.
Completion time: 2010-02-10 21:01:29
ComboFix-quarantined-files.txt 2010-02-11 02:01
ComboFix2.txt 2010-02-10 23:18
ComboFix3.txt 2008-12-07 16:52
ComboFix4.txt 2008-12-07 02:06

Pre-Run: 152,185,294,848 bytes free
Post-Run: 152,376,381,440 bytes free

- - End Of File - - 5F47E0417C482D91C3E23C7F2088926A
 
Malwarebytes' Anti-Malware 1.44
Database version: 3722
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18372

2/10/2010 9:07:16 PM
mbam-log-2010-02-10 (21-07-12).txt

Scan type: Quick Scan
Objects scanned: 149939
Time elapsed: 3 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\adobe_reader (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> No action taken.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Downloader) -> No action taken.
 
Navigate to the folder below and delete all them tasks

2010-02-11 c:\windows\Tasks\At1.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At10.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At11.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At12.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At13.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At14.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At15.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At16.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At17.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At18.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At19.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At2.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At20.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At21.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At22.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At23.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At24.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At3.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At4.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At5.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At6.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At7.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At8.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]

2010-02-11 c:\windows\Tasks\At9.job
- c:\program files\internet explorer\wmpscfgs.exe [2010-02-11 02:00]



Navigate to the folder below and delete them, you may need to enable hidden files and folders.

C:\Program Files\Internet Explorer\js.mui
C:\Program Files\Internet Explorer\wmpscfgs.exe


Reboot and then follow the steps below

Disable System Restore first

Go here and delete the file C:\Program Files\Internet Explorer\wmpscfgs.exe

Then go to here and delete the reg file

HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run delete the %ProgramFiles%\Internet Explorer\wmpscfgs.exe If you dont see it there, do a Find in the registry for wmpscfgs.exe and delete it.

And look here too %%ProfileFolder%%\local settings\temp\wmpscfgs.exe and delete it


Then follow this

Here is what you can do to get rid of it. Don't bother about scanning as scanners cant fully fix your problem and will end up corrupting your applications.
  • Boot in safe mode. The reason for this is that in safe mode there is not much processes running. You need this setup in step 9 below as this virus is a nasty one.
  • Open up windows explorer and go to Tools -> Folder options .
    a. Make sure the following are TICKED -> Show hidden files and folders
    b. Make sure the following are UNticked -> Hide Extensions for known file types
  • Go to the following directories (this is for vista home premium):
    C:\Program Files\Internet Explorer
    C:\Users\user\AppData\Local\Temp
    And you will see there a file called wmpscfgs.exe. Delete them.
  • Open up your task manager, make sure the 'show all processes' is ticked and look for the same process. If it is running. Kill it.
Starting this part, steps needs more technical experience. If you are not comfortable in doing the below steps, look for someone that can help you.
  • Open up regedit and go to: HKLM->Software -> Microsoft -> Windows -> CurrentVersion –> Run
  • Look for Adobe_reader entry with data: “%ProgramFiles%\Internet Explorer\wmpscfgs.exe“. Delete it. For me from this point almost all of the things written in the NET currently don't have the steps below. And its the reason why this virus keeps coming back.
  • Hopefully you dont have much applications under “HKLM->Software -> Microsoft -> Windows -> CurrentVersion -> Run”. Because you have to visit each one of them literally because this virus hijacks almost every application in the RUN list above.
  • Basically it renames the old exe file from say “mcagent.exe” to “mcagent .exe”. With a space between the filename and the “.exe” or extension. It will then create a copy of itself with the same filename as your executable file so that when someone executes your file, the virus will be executed first then your file. It will do this for every apps you have in your Run list. Thus if you go to the location of say of McAfee mcagent.exe application you will see two to three files with almost the same filename:
    • mcagent.exe -> which is a 39 KB file, and very recently created and which is the virus that keeps adding back that wmpscfgs.exe file.
    • mcagent .exe -> the original mcagent file, renamed.
    • mcagent.exe.delme<some random number> -> delete this one as well. I don't see this occurring every time, but i have seen some apps with this file in them and very recently created.
  • You first need to kill the corresponding process of the infected file if they are running in task manager, manually remove the existing .exe file which is around 39KB only and rename back your old executable file to its former filename. Repeat this for every application you have in your Run list above. The only thing that i saw this virus didn't infect was the windows defender application. The rest in my Run list were screwed. Uninstalling and reinstalling them doesn't help as well as the former Trojan exe file will be retained in the application directory. This is the reason why Microsoft Security Essentials was complaining that your startup executable files are viruses.
  • Once you have verified that each application in your run list has been restored. To be fully sure that you don't have any such files lingering in your system, do a drive search for any file that has 39KB size and has just been recently created and examine each one carefully if they are just copies of your original executable file. Follow step 7 for each occurrence of it. So far, i only saw this virus attach itself into executable files.
  • If you want to be 100% sure, next thing you need to do is double check every process running in your task manager if they are legit. Some process specially those started by system wont be able to take you to its process file, its ok, but most of them if you do a right click in them, you should see an option there called “Open File Location”. Then follow steps 7 above.
After this is completed, run GMER again to see if it detects it again. Let me know how it goes or if you have any questions. http://www.gmer.net/

Then after GMER do this below

Dont reboot yet, go ahead and run Combofix again, maybe it can take care of it this time with the changes made.

Run this after combofix http://www.superantispyware.com/

And then run malwarebytes

Then post their logs and a new hijackthis log.
 
I am going to do the rest of the steps, but for these files:
C:\Program Files\Internet Explorer\js.mui
C:\Program Files\Internet Explorer\wmpscfgs.exe

They are not showing and I have hidden files and folders enabled. I am going to reboot now but during the process will be checking this
 
Also, I cannot right click my computer and go to properties, nor can I go to control panel and get into system, it shows an hour glass for a second, and then nothing. And when I was there earlier, system restore was grayed out so I could not change it anyways


I am in safe mode right now, I found those two files. I still cannot get into my system properties. I deleted the one file out of the registry that you said I could search for, I have rebooted about 7 times but still cannot disable system restore. I will await your reply before doing anything else.

Thanks so much, you're awesome! :)
 
Status
Not open for further replies.

Similar threads

Captain Xarzu
How do I ensure I properly get text alerts on my Android phone?
Replies
2
Views
890
Joe C
Joe C
B
i keep getting an alert from AVG every minute or so. super annoying!
2
Replies
18
Views
2K
alyssa.robert235
A
A
Getting Rid of Cable TV
2
Replies
10
Views
3K
JoeyStyles
JoeyStyles
D
"could not parse error", what should i do?
Replies
1
Views
1K
petergroft29
P
S
Would it benefit me joining Discord chat groups?
Replies
0
Views
898
Scissorman
S
Back
Top Bottom