WiniBlueSoft Removal, XP laptop

Hi Geek Police . WiniBlueSoft was recently installed on my laptop. As soon as i realized it was malware, i removed it from my laptop, however, i still receive notifications about my laptop being infected with viruses and pop ups about intruders trying to infect my laptop and they ask if i would like WiniBlueSoft to remove them. It has hacked into my windows security alert system, making it believe the laptop needs to have WiniBlueSoft installed. My laptop now has very slow internet speed, and freezes a lot. I need to remove this malware at once but i have no clue on how to. I've tried to download countless spyware removal programs (Registry Mechanic, SpyHunter, Exterminate it!, Spyware Doctor, etc.) and they all want to charge me to remove the viruses, which is something i cannot afford to do at this time. I am now clueless on how to remove WiniBlueSoft from my laptop. Any help would be greatly appreciated. Thank you:).

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:33 PM, on 5/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Dell\QuickSet\quickset.exe
C:\Updater.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\setup2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\CDProxyServ.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Alexis Aiken\My Documents\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\xhlunyqh.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\PROGRA~1\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\gywxikke.dll",realset
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Alexis Aiken\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070501/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.4.4.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://ea-land.ea.com/download/install/setup.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155138452515
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27D798-B6EE-48DB-B1E7-F558AB5C6987}: NameServer = 85.255.112.66,85.255.112.131
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F373DDF-A35E-4085-9A16-7DF2C5C638A6}: NameServer = 85.255.112.66,85.255.112.131
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: XCP CD Proxy (CD_Proxy) - Unknown owner - C:\WINDOWS\CDProxyServ.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\Alexis Aiken\My Documents\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11630 bytes

Hello.

I see you have Viewpoint software installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". Read this article: here and here

I suggest you remove the program now.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint Manager (remove only)
  
• Viewpoint Media Player
  
• Viewpoint Toolbar
  

Next,

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\xhlunyqh.dll (file missing)
  O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
  O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\system32\gywxikke.dll",realset
  O4 - HKCU\..\Run: [setup2.exe] C:\WINDOWS\system32\setup2.exe
  O17 - HKLM\System\CCS\Services\Tcpip\..\{4A27D798-B6EE-48DB-B1E7-F558AB5C6987}: NameServer = 85.255.112.66,85.255.112.131
  O17 - HKLM\System\CCS\Services\Tcpip\..\{9F373DDF-A35E-4085-9A16-7DF2C5C638A6}: NameServer = 85.255.112.66,85.255.112.131
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.66,85.255.112.131
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Completed script processing.

*******************

Finished! Terminate.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV. (Symantec Antivurs)
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Sorry, I'm having some difficulties. Symantec Antivirus will not allow me to disable auto-protect.

Okay then, we'll need to use Safe Mode.

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
  
• Select the first option, to run Windows in Safe Mode, then press Enter.
  
• Choose your usual account.
  

Run Combofix from Safe mode.

Hi, I tried to run safe mode which was the first option, but it did not allow me to use internet connection.
I am now using safe mode with networking which allows me to use the internet. will that be okay?

Yes, it's fine.

hi, i have the combofix text but it says the message is too long to post.

Split the text into two different posts please

ComboFix 09-05-16.03 - Alexis Aiken 05/16/2009 14:48.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.354 [GMT -5:00]
Running from: c:\documents and settings\Alexis Aiken\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\Alexis Aiken\Application Data\rhceskj0e7b1
c:\program files\AlphaWipe Tracks Cleaner 2008
c:\program files\AlphaWipe Tracks Cleaner 2008\pv.dat
c:\program files\AlphaWipe Tracks Cleaner 2008\up.dat
c:\program files\rhceskj0e7b1
c:\program files\Video Add-on
c:\program files\vsadd-in
c:\recycler\S-1-5-18\Dc2.gif
c:\recycler\S-1-5-18\Dc3.html
c:\recycler\S-1-5-18\Dc4.gif
c:\recycler\S-1-5-18\Dc7.gif
c:\recycler\S-1-5-18\Dc8.gif
c:\recycler\S-1-5-18\Dc9.dll
c:\recycler\S-1-5-18\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\java\sbaalau.bak1
c:\windows\java\sbaalau.bak2
c:\windows\Registration\sdnvdr.bak1
c:\windows\Registration\sdnvdr.ini
c:\windows\system32\ekkixwyg.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\srutv.bak1
c:\windows\system32\srutv.bak2
c:\windows\system32\srutv.ini
c:\windows\system32\srutv.ini2
c:\windows\system32\srutv.tmp
c:\windows\system32\srutv.tmp2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$ARIES
-------\Legacy_CD_PROXY
-------\Legacy_NPF
-------\Service_CD_Proxy


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-12-26 12:07 . 2009-12-26 12:07 11675 ----a-w c:\windows\system32\55dzst9al2404.dll
2009-12-26 07:06 . 2009-12-26 07:06 13220 ----a-w c:\windows\1b5bthrz9t13791.dll
2009-12-25 09:05 . 2009-12-25 09:05 13030 ----a-w c:\windows\195629ac5toold9z.bin
2009-12-25 03:43 . 2009-12-25 03:43 5160 ----a-w c:\windows\system32\52395hrzat28413.bin
2009-12-24 22:49 . 2009-12-24 22:49 3287 ----a-w c:\windows\673zthief5279.exe
2009-12-24 11:32 . 2009-12-24 11:32 15197 ----a-w c:\windows\59afzhreat59861.bin
2009-12-22 04:17 . 2009-12-22 04:17 3879 ----a-w c:\windows\system32\9f64spyware2550z.exe
2009-12-17 05:30 . 2009-12-17 05:30 3580 ----a-w c:\windows\5555t9ief309z.bin
2009-12-16 04:32 . 2009-12-16 04:32 10831 ----a-w c:\windows\za2bspa5se9081.exe
2009-12-12 16:53 . 2009-12-12 16:53 4115 ----a-w c:\windows\system32\14195zackto5l31e.dll
2009-12-07 11:10 . 2009-12-07 11:10 18284 ----a-w c:\windows\12140no5-a-virzs2419.bin
2009-12-07 10:27 . 2009-12-07 10:27 11110 ----a-w c:\windows\9fd4downloadzr2215.exe
2009-12-06 22:38 . 2009-12-06 22:38 10440 ----a-w c:\windows\1521spyware9z43.exe
2009-12-06 06:21 . 2009-12-06 06:21 16521 ----a-w c:\windows\system32\7c5fthreat19z93.exe
2009-12-03 09:28 . 2009-12-03 09:28 7419 ----a-w c:\windows\159559zrusa0.bin
2009-12-02 14:50 . 2009-12-02 14:50 18383 ----a-w c:\windows\z95565pambot544.exe
2009-12-02 13:46 . 2009-12-02 13:46 7590 ----a-w c:\windows\26z6wor956.bin
2009-11-28 20:22 . 2009-11-28 20:22 12120 ----a-w c:\windows\system32\4c8bs95wzre3227.exe
2009-11-27 12:45 . 2009-11-27 12:45 11358 ----a-w c:\windows\system32\38f9thi5f164z.bin
2009-11-22 05:32 . 2009-11-22 05:32 11828 ----a-w c:\windows\system32\7474tr5z5a9.exe
2009-11-19 07:03 . 2009-11-19 07:03 11011 ----a-w c:\windows\system32\5520v591970z.exe
2009-11-15 23:12 . 2009-11-15 23:12 10087 ----a-w c:\windows\system32\69a4azdware29085.bin
2009-11-13 09:33 . 2009-11-13 09:33 9896 ----a-w c:\windows\205aaddware19z7.bin
2009-11-12 12:18 . 2009-11-12 12:18 10047 ----a-w c:\windows\2758zha5ktool49d.bin
2009-11-12 09:15 . 2009-11-12 09:15 17418 ----a-w c:\windows\55783zroj5859.dll
2009-11-12 08:20 . 2009-11-12 08:20 12481 ----a-w c:\windows\95175roj2z9.dll
2009-11-05 08:55 . 2009-11-05 08:55 18377 ----a-w c:\windows\5z29spywar51333.exe
2009-11-01 19:25 . 2009-11-01 19:25 3018 ----a-w c:\windows\system32\29922not-a5virzs429.exe
2009-10-28 17:12 . 2009-10-28 17:12 17293 ----a-w c:\windows\system32\2b9zaddware5006.dll
2009-10-27 17:18 . 2009-10-27 17:18 14516 ----a-w c:\windows\64a9s5yw9re156z.dll
2009-10-22 15:18 . 2009-10-22 15:18 13519 ----a-w c:\windows\system32\7b955tzal449.bin
2009-10-21 17:37 . 2009-10-21 17:37 4292 ----a-w c:\windows\system32\3895zp5mbot2ef.dll
2009-10-21 14:46 . 2009-10-21 14:46 12970 ----a-w c:\windows\8935spy7fz.exe
2009-10-21 13:29 . 2009-10-21 13:29 10079 ----a-w c:\windows\2026spy9aze5098.exe
2009-10-19 17:21 . 2009-10-19 17:21 8033 ----a-w c:\windows\45d95pywzre460.exe
2009-10-15 03:55 . 2009-10-15 03:55 16723 ----a-w c:\windows\system32\921zddwar5512.dll
2009-10-13 23:24 . 2009-10-13 23:24 3396 ----a-w c:\windows\65cfs9ywaze2192.dll
2009-10-13 21:59 . 2009-10-13 21:59 13517 ----a-w c:\windows\system32\2ee6down5o9der960z.exe
2009-10-12 06:51 . 2009-10-12 06:51 10019 ----a-w c:\windows\system32\15356not-z-virus42c9.dll
2009-10-09 11:22 . 2009-10-09 11:22 17451 ----a-w c:\windows\90855spzmbot25b.dll
2009-10-09 07:17 . 2009-10-09 07:17 10858 ----a-w c:\windows\system32\59972spzmbot129.exe
2009-10-08 23:29 . 2009-10-08 23:29 9943 ----a-w c:\windows\190965irus421z.exe
2009-10-08 06:49 . 2009-10-08 06:49 15947 ----a-w c:\windows\4b8ebzc5do9r96.bin
2009-10-04 02:55 . 2009-10-04 02:55 14721 ----a-w c:\windows\system32\19198hack5ool55z.bin
2009-10-03 02:31 . 2009-10-03 02:31 3975 ----a-w c:\windows\system32\72959hief30z9.dll
2009-10-01 13:05 . 2009-10-01 13:05 13347 ----a-w c:\windows\1542zh9cktool26e5.bin
2009-09-27 08:13 . 2009-09-27 08:13 3666 ----a-w c:\windows\656bvi5901z.exe
2009-09-27 03:40 . 2009-09-27 03:40 11966 ----a-w c:\windows\5z92s9eal2551.exe
2009-09-26 03:44 . 2009-09-26 03:44 15944 ----a-w c:\windows\3d1down5zad9r2277.bin
2009-09-25 12:38 . 2009-09-25 12:38 11418 ----a-w c:\windows\system32\69z0h5cktool6d2.exe
2009-09-23 14:46 . 2009-09-23 14:46 16606 ----a-w c:\windows\system32\18944h5ckzool59f.bin
2009-09-22 05:24 . 2009-09-22 05:24 12751 ----a-w c:\windows\system32\19457hack9ozl6c4.exe
2009-09-21 10:50 . 2009-09-21 10:50 7939 ----a-w c:\windows\system32\79z3threa520312.exe
2009-09-11 09:22 . 2009-09-11 09:22 6207 ----a-w c:\windows\system32\958dthief29z1.exe
2009-09-05 00:29 . 2009-09-05 00:29 6051 ----a-w c:\windows\63d7d9wnlo5derz857.dll
2009-09-04 18:19 . 2009-09-04 18:19 16455 ----a-w c:\windows\43fzi918215.dll
2009-09-02 08:01 . 2009-09-02 08:01 8555 ----a-w c:\windows\13b29hze5t30670.dll
2009-09-01 04:34 . 2009-09-01 04:34 3626 ----a-w c:\windows\14186zack5oo9a5.exe
2009-08-28 07:33 . 2009-08-28 07:33 12506 ----a-w c:\windows\109299py30z5.dll
2009-08-23 04:49 . 2009-08-23 04:49 11038 ----a-w c:\windows\system32\20899zackt59l4f3.exe
2009-08-21 08:16 . 2009-08-21 08:16 12340 ----a-w c:\windows\4846spywar9162z5.exe
2009-08-15 04:45 . 2009-08-15 04:45 8165 ----a-w c:\windows\dcast5al299z.exe
2009-08-10 12:11 . 2009-08-10 12:11 14940 ----a-w c:\windows\system32\5311nzt-a-viru979d.dll
2009-08-08 05:18 . 2009-08-08 05:18 13493 ----a-w c:\windows\8297zot-a-viru96495.dll
2009-08-06 04:43 . 2009-08-06 04:43 6605 ----a-w c:\windows\system32\2ef25hreaz102029.dll
2009-08-02 03:08 . 2009-08-02 03:08 16069 ----a-w c:\windows\system32\59f2sp5rsez01.dll
2009-08-01 15:06 . 2009-08-01 15:06 6772 ----a-w c:\windows\472da5dzare9409.dll
2009-07-27 21:37 . 2009-07-27 21:37 14052 ----a-w c:\windows\1z876t9o51cb.dll
2009-07-25 10:53 . 2009-07-25 10:53 3260 ----a-w c:\windows\29z5spy61a.exe
2009-07-24 17:36 . 2009-07-24 17:36 6855 ----a-w c:\windows\system32\24575wo9z55f.exe
2009-07-24 07:36 . 2009-07-24 07:36 16291 ----a-w c:\windows\system32\53a9vir227z.dll
2009-07-24 05:52 . 2009-07-24 05:52 4715 ----a-w c:\windows\system32\4f25hief9z60.exe
2009-07-19 01:52 . 2009-07-19 01:52 7969 ----a-w c:\windows\system32\35589wormze1.bin
2009-07-18 06:43 . 2009-07-18 06:43 14581 ----a-w c:\windows\909v95138z.bin
2009-07-16 03:59 . 2009-07-16 03:59 11882 ----a-w c:\windows\15802spambo9z925.bin
2009-07-16 02:30 . 2009-07-16 02:30 7472 ----a-w c:\windows\system32\41cadown95azer1001.exe
2009-07-15 04:07 . 2009-07-15 04:07 14426 ----a-w c:\windows\z09345pambot5e6.exe
2009-07-14 23:20 . 2009-07-14 23:20 15964 ----a-w c:\windows\system32\11855t5zj219.exe
2009-07-14 22:41 . 2009-07-14 22:41 4117 ----a-w c:\windows\55cda9zware2481.dll
2009-07-14 18:55 . 2009-07-14 18:55 12067 ----a-w c:\windows\system32\361995ealz77.bin
2009-07-12 22:33 . 2009-07-12 22:33 17370 ----a-w c:\windows\system32\75d4dzwnloade9425.bin
2009-07-11 15:02 . 2009-07-11 15:02 10709 ----a-w c:\windows\3695wor53z1.bin
2009-07-10 02:03 . 2009-07-10 02:03 5428 ----a-w c:\windows\system32\58afspars932z5.bin
2009-07-08 07:15 . 2009-07-08 07:15 14246 ----a-w c:\windows\system32\1305sp5zare1009.bin
2009-07-06 05:40 . 2009-07-06 05:40 9972 ----a-w c:\windows\system32\90799not-a-viz5s.exe
2009-07-05 10:09 . 2009-07-05 10:09 14402 ----a-w c:\windows\1z762spam9ot7865.bin
2009-07-04 07:12 . 2009-07-04 07:12 5869 ----a-w c:\windows\26559wzrm279.dll
2009-07-02 13:02 . 2009-07-02 13:02 17807 ----a-w c:\windows\6991d5wnloader547z.bin
2009-07-01 17:27 . 2009-07-01 17:27 9414 ----a-w c:\windows\7z04spyware5590.exe
2009-07-01 02:40 . 2009-07-01 02:40 17990 ----a-w c:\windows\system32\15071tzoj95d.dll
2009-06-28 07:16 . 2009-06-28 07:16 9434 ----a-w c:\windows\z8599sp5mb9t29f.dll
2009-06-28 02:59 . 2009-06-28 02:59 7260 ----a-w c:\windows\system32\z166troj2395.bin
2009-06-26 02:14 . 2009-06-26 02:14 9440 ----a-w c:\windows\system32\576ca5zwa9e3075.bin
2009-06-21 14:31 . 2009-06-21 14:31 7375 ----a-w c:\windows\system32\287z7s95380.bin
2009-06-21 10:45 . 2009-06-21 10:45 13382 ----a-w c:\windows\e25ad95are271z.exe
2009-06-19 20:08 . 2009-06-19 20:08 9591 ----a-w c:\windows\309z6spam5o942d.dll
2009-06-18 07:24 . 2009-06-18 07:24 2675 ----a-w c:\windows\system32\31f5backdo9rz86.bin
2009-06-13 02:04 . 2009-06-13 02:04 13653 ----a-w c:\windows\system32\6553spambzt9e7.exe
2009-06-11 04:07 . 2009-06-11 04:07 11163 ----a-w c:\windows\system32\2bbcspyw95e155z.bin
2009-06-09 18:10 . 2009-06-09 18:10 4430 ----a-w c:\windows\4959no9-z-virus6df.exe
2009-06-09 16:08 . 2009-06-09 16:08 4348 ----a-w c:\windows\15105spy4fz9.dll
2009-06-09 05:50 . 2009-06-09 05:50 14858 ----a-w c:\windows\z52029py740.bin
2009-06-06 18:34 . 2009-06-06 18:34 12611 ----a-w c:\windows\4af35dz9are1257.exe
2009-06-05 13:29 . 2009-06-05 13:29 6514 ----a-w c:\windows\system32\702259dwarz2756.exe
2009-06-05 10:00 . 2009-06-05 10:00 15659 ----a-w c:\windows\15823not-9-vir5z6dc.dll
2009-06-05 05:22 . 2009-06-05 05:22 13793 ----a-w c:\windows\system32\256479roj1dz.dll
2009-06-04 14:04 . 2009-06-04 14:04 17900 ----a-w c:\windows\system32\4z54addwar92456.dll
2009-05-23 09:09 . 2009-05-23 09:09 17683 ----a-w c:\windows\79c35owzloader1206.exe
2009-05-19 03:20 . 2009-05-19 03:20 13523 ----a-w c:\windows\system32\6a69spy5are96z.bin
2009-05-18 00:30 . 2009-05-18 00:30 13480 ----a-w c:\windows\system32\229z9spambot575.bin
2009-05-17 20:20 . 2009-05-17 20:20 5185 ----a-w c:\windows\system32\35c7sz9war52788.exe
2009-05-16 19:45 . 2009-05-16 19:45 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-16 18:03 . 2009-05-16 18:03 -------- d-----w c:\program files\Trend Micro
2009-05-15 23:21 . 2009-05-15 23:21 11266 ----a-w c:\windows\system32\1266z9iru5d6.dll
2009-05-14 13:00 . 2009-05-14 13:00 -------- d-----w c:\documents and settings\Alexis Aiken\Local Settings\Application Data\AIM Toolbar
2009-05-14 12:42 . 2009-05-14 12:42 -------- d-----w c:\program files\Enigma Software Group
2009-05-14 12:18 . 2009-05-14 19:18 -------- d-----w c:\program files\Exterminate It!
2009-05-11 13:28 . 2009-05-11 13:28 12040 ----a-w c:\windows\system32\5295spyware5z7.bin
2009-05-10 18:38 . 2009-05-14 13:03 -------- d-----w c:\documents and settings\Alexis Aiken\Application Data\GetRightToGo
2009-05-10 18:30 . 2009-05-14 19:21 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-10 13:45 . 2009-05-10 13:45 13853 ----a-w c:\windows\516z9troj458.dll
2009-05-10 08:05 . 2009-05-10 08:05 9277 ----a-w c:\windows\92652troz508.bin
2009-05-08 09:01 . 2009-05-08 09:01 3019 ----a-w c:\windows\6efdaddwz9e2501.bin
2009-05-07 05:56 . 2009-05-07 05:56 12035 ----a-w c:\windows\system32\6418z5rm29e.exe
2009-05-02 20:30 . 2009-05-02 20:30 9067 ----a-w c:\windows\19z62hacktool559.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 19:58 . 2009-02-28 01:24 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-16 18:30 . 2005-12-07 16:49 -------- d-----w c:\program files\Viewpoint
2009-05-14 23:04 . 2007-07-09 16:26 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-10 13:45 . 2009-05-10 13:45 17946 ----a-w c:\windows\2358hacztool3549.dll
2009-05-07 23:33 . 2006-01-14 03:56 104 --sh--r c:\windows\system32\B993D92FBE.sys
2009-05-07 23:33 . 2006-01-14 03:56 7518 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-13 01:40 . 2009-04-13 01:40 8230 ----a-w c:\windows\system32\1805not-z-vi9u589.exe
2009-04-11 18:25 . 2009-04-11 18:25 9422 ----a-w c:\windows\system32\174059ozmf5.dll
2009-04-11 18:18 . 2005-12-07 16:41 -------- d-----w c:\program files\Java
2009-04-10 21:36 . 2009-04-10 21:36 6077 ----a-w c:\windows\system32\21650viru599dz.dll
2009-04-09 17:20 . 2009-04-09 17:20 6406 ----a-w c:\windows\52327hac9tool667z.dll
2009-04-09 02:32 . 2009-04-09 02:32 6522 ----a-w c:\windows\system32\5519spa5bot5f4z.exe
2009-04-08 16:56 . 2009-04-08 16:56 7491 ----a-w c:\windows\100cadz59re1811.bin
2009-04-07 16:27 . 2009-04-07 16:27 2767 ----a-w c:\windows\zb93addware2564.exe
2009-04-07 03:03 . 2009-04-07 03:03 16839 ----a-w c:\windows\system32\673fad5warez94.exe
2009-04-07 00:17 . 2009-04-07 00:16 -------- d-----w c:\program files\iTunes
2009-04-07 00:16 . 2007-06-30 15:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 08:54 . 2009-04-06 08:54 16725 ----a-w c:\windows\system32\6e57s5eal9195z.bin
2009-04-05 17:17 . 2006-07-22 18:17 -------- d-----w c:\program files\LimeWire
2009-04-05 00:37 . 2009-04-05 00:37 17306 ----a-w

c:\windows\system32\2ac6zp5rs91684.dll
2009-04-02 11:14 . 2009-04-02 11:14 13554 ----a-w c:\windows\system32\78225iz491.bin
2009-04-01 11:15 . 2009-04-01 11:15 6417 ----a-w c:\windows\5cdaspy9ar5111z.dll
2009-03-28 21:21 . 2009-03-28 21:21 10181 ----a-w c:\windows\20692hackt5ol11z.exe
2009-03-26 21:25 . 2009-03-26 21:25 6848 ----a-w c:\windows\system32\12681not9a-viru563z.dll
2009-03-25 03:18 . 2009-03-25 03:18 16199 ----a-w c:\windows\system32\519zadd9are1511.bin
2009-03-24 15:10 . 2009-03-24 15:10 4085 ----a-w c:\windows\system32\193995acztool4c6.dll
2009-03-24 10:46 . 2009-03-24 10:46 15603 ----a-w c:\windows\system32\2302vi928z5.exe
2009-03-24 03:32 . 2009-03-24 03:32 14796 ----a-w c:\windows\system32\3ff9thi5f26z4.bin
2009-03-22 15:58 . 2009-03-22 15:58 3405 ----a-w c:\windows\51964spyz92.exe
2009-03-20 10:59 . 2009-03-20 10:59 8986 ----a-w c:\windows\789a95arsz2235.exe
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 13:46 . 2009-03-15 13:46 8759 ----a-w c:\windows\30729zars5793.dll
2009-03-14 21:21 . 2009-03-14 21:21 5197 ----a-w c:\windows\b9fzir9095.exe
2009-03-14 12:28 . 2009-03-14 12:28 3043 ----a-w c:\windows\5c58addwaze9299.dll
2009-03-11 03:40 . 2009-03-11 03:40 15784 ----a-w c:\windows\13c5i9z113.exe
2009-03-09 20:15 . 2009-03-09 20:15 15513 ----a-w c:\windows\system32\241adz9nloader2305.bin
2009-03-09 10:19 . 2008-12-07 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 16:20 . 2009-03-08 16:20 16135 ----a-w c:\windows\z6353hac5too963d.bin
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 09:49 . 2009-03-04 09:49 10618 ----a-w c:\windows\99z5spy416.exe
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 00:28 . 2009-03-02 00:28 13526 ----a-w c:\windows\5f58thief9809z.exe
2009-03-01 05:13 . 2009-03-01 05:13 16469 ----a-w c:\windows\system32\1e2t5iez9396.exe
2009-02-28 13:28 . 2009-02-28 13:28 6237 ----a-w c:\windows\system32\65f2bzckdoo93507.bin
2009-02-28 10:01 . 2009-02-28 10:01 17300 ----a-w c:\windows\system32\69cethief27z5.dll
2009-02-25 02:56 . 2009-02-25 02:56 8954 ----a-w c:\windows\system32\569ddownloadz9177.exe
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 00:54 . 2009-02-18 00:54 14097 ----a-w c:\windows\6z5f5ddwar93091.exe
2009-02-17 23:42 . 2009-02-17 23:42 5981 ----a-w c:\windows\22761tzoj9a25.bin
2009-02-16 17:36 . 2009-02-16 17:36 17330 ----a-w c:\windows\system32\1f2bbac9d5oz2043.exe
2006-06-19 21:05 . 2006-05-13 14:28 88 --sh--r c:\windows\system32\BE2FD993B9.sys
2006-01-05 23:38 . 2006-01-05 23:23 214722 --sha-w c:\windows\system32\vybeg.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 $sys$cor;$sys$cor;c:\windows\system32\drivers\$sys$cor.sys [10/6/2004 9:11 AM 10368]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:10 PM 101936]
S1 $sys$crater;$sys$crater;c:\windows\system32\$sys$filesystem\crater.sys [10/7/2004 2:57 AM 11776]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\ALEXIS~1\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\ALEXIS~1\LOCALS~1\Temp\DMSKSSRh.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AOLDialer - c:\program files\Common Files\AOL\ACS\AOLDial.exe
HKLM-Run-YSearchProtection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe


.
------- Supplementary Scan -------
.
uStart Page = www.aol.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Alexis Aiken\Start Menu\Programs\IMVU\Run IMVU.lnk
Trusted Zone: imageservr.com\locator.cdn
Trusted Zone: sysprotect.com\scanner
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxp://ea-land.ea.com/download/install/setup.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 14:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3032532240-2312588317-637582772-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1084)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4076)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\documents and settings\Alexis Aiken\My Documents\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-05-16 15:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 20:09

Pre-Run: 842,829,824 bytes free
Post-Run: 3,782,975,488 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

351 --- E O F --- 2009-04-18 13:03

Wow, what a mess here.

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
$sys$cor
$sys$crater
DMSKSSRh

File::
c:\windows\system32\drivers\$sys$cor.sys
c:\windows\system32\55dzst9al2404.dll
c:\windows\1b5bthrz9t13791.dll
c:\windows\195629ac5toold9z.bin
c:\windows\system32\52395hrzat28413.bin
c:\windows\673zthief5279.exe
c:\windows\59afzhreat59861.bin
c:\windows\system32\9f64spyware2550z.exe
c:\windows\5555t9ief309z.bin
c:\windows\za2bspa5se9081.exe
c:\windows\system32\14195zackto5l31e.dll
c:\windows\12140no5-a-virzs2419.bin
c:\windows\9fd4downloadzr2215.exe
c:\windows\1521spyware9z43.exe
c:\windows\system32\7c5fthreat19z93.exe
c:\windows\159559zrusa0.bin
c:\windows\z95565pambot544.exe
c:\windows\26z6wor956.bin
c:\windows\system32\4c8bs95wzre3227.exe
c:\windows\system32\38f9thi5f164z.bin
c:\windows\system32\7474tr5z5a9.exe
c:\windows\system32\5520v591970z.exe
c:\windows\system32\69a4azdware29085.bin
c:\windows\205aaddware19z7.bin
c:\windows\2758zha5ktool49d.bin
c:\windows\55783zroj5859.dll
c:\windows\95175roj2z9.dll
c:\windows\5z29spywar51333.exe
c:\windows\system32\29922not-a5virzs429.exe
c:\windows\system32\2b9zaddware5006.dll
c:\windows\64a9s5yw9re156z.dll
c:\windows\system32\7b955tzal449.bin
c:\windows\system32\3895zp5mbot2ef.dll
c:\windows\8935spy7fz.exe
c:\windows\2026spy9aze5098.exe
c:\windows\45d95pywzre460.exe
c:\windows\system32\921zddwar5512.dll
c:\windows\65cfs9ywaze2192.dll
c:\windows\system32\2ee6down5o9der960z.exe
c:\windows\system32\15356not-z-virus42c9.dll
c:\windows\90855spzmbot25b.dll
c:\windows\system32\59972spzmbot129.exe
c:\windows\190965irus421z.exe
c:\windows\4b8ebzc5do9r96.bin
c:\windows\system32\19198hack5ool55z.bin
c:\windows\system32\72959hief30z9.dll
c:\windows\1542zh9cktool26e5.bin
c:\windows\656bvi5901z.exe
c:\windows\5z92s9eal2551.exe
c:\windows\3d1down5zad9r2277.bin
c:\windows\system32\69z0h5cktool6d2.exe
c:\windows\system32\18944h5ckzool59f.bin
c:\windows\system32\19457hack9ozl6c4.exe
c:\windows\system32\79z3threa520312.exe
c:\windows\system32\958dthief29z1.exe
c:\windows\63d7d9wnlo5derz857.dll
c:\windows\43fzi918215.dll
c:\windows\13b29hze5t30670.dll
c:\windows\14186zack5oo9a5.exe
c:\windows\109299py30z5.dll
c:\windows\system32\20899zackt59l4f3.exe
c:\windows\4846spywar9162z5.exe
c:\windows\dcast5al299z.exe
c:\windows\system32\5311nzt-a-viru979d.dll
c:\windows\8297zot-a-viru96495.dll
c:\windows\system32\2ef25hreaz102029.dll
c:\windows\system32\59f2sp5rsez01.dll
c:\windows\472da5dzare9409.dll
c:\windows\1z876t9o51cb.dll
c:\windows\29z5spy61a.exe
c:\windows\system32\24575wo9z55f.exe
c:\windows\system32\53a9vir227z.dll
c:\windows\system32\4f25hief9z60.exe
c:\windows\system32\35589wormze1.bin
c:\windows\909v95138z.bin
c:\windows\15802spambo9z925.bin
c:\windows\system32\41cadown95azer1001.exe
c:\windows\z09345pambot5e6.exe
c:\windows\system32\11855t5zj219.exe
c:\windows\55cda9zware2481.dll
c:\windows\system32\361995ealz77.bin
c:\windows\system32\75d4dzwnloade9425.bin
c:\windows\3695wor53z1.bin
c:\windows\system32\58afspars932z5.bin
c:\windows\system32\1305sp5zare1009.bin
c:\windows\system32\90799not-a-viz5s.exe
c:\windows\1z762spam9ot7865.bin
c:\windows\26559wzrm279.dll
c:\windows\6991d5wnloader547z.bin
c:\windows\7z04spyware5590.exe
c:\windows\system32\15071tzoj95d.dll
c:\windows\z8599sp5mb9t29f.dll
c:\windows\system32\z166troj2395.bin
c:\windows\system32\576ca5zwa9e3075.bin
c:\windows\system32\287z7s95380.bin
c:\windows\e25ad95are271z.exe
c:\windows\309z6spam5o942d.dll
c:\windows\system32\31f5backdo9rz86.bin
c:\windows\system32\6553spambzt9e7.exe
c:\windows\system32\2bbcspyw95e155z.bin
c:\windows\4959no9-z-virus6df.exe
c:\windows\15105spy4fz9.dll
c:\windows\z52029py740.bin
c:\windows\4af35dz9are1257.exe
c:\windows\system32\702259dwarz2756.exe
c:\windows\15823not-9-vir5z6dc.dll
c:\windows\system32\256479roj1dz.dll
c:\windows\system32\4z54addwar92456.dll
c:\windows\79c35owzloader1206.exe
c:\windows\system32\6a69spy5are96z.bin
c:\windows\system32\229z9spambot575.bin
c:\windows\system32\35c7sz9war52788.exe
c:\windows\system32\1266z9iru5d6.dll
c:\windows\516z9troj458.dll
c:\windows\92652troz508.bin
c:\windows\6efdaddwz9e2501.bin
c:\windows\system32\6418z5rm29e.exe
c:\windows\19z62hacktool559.bin
c:\windows\system32\5295spyware5z7.bin

Folder::
c:\windows\system32\$sys$filesystem
c:\Program Files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-

DDS::
DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} - hxxp://ea-land.ea.com/download/install/setup.exe

Domains::

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

should i go back into safe mode before i do this?

Yes, stay in safe mode with networking so you can access this site, because we still have work to do after the first script.

ComboFix 09-05-16.03 - Alexis Aiken 05/16/2009 15:44.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.357 [GMT -5:00]
Running from: c:\documents and settings\Alexis Aiken\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alexis Aiken\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
c:\windows\109299py30z5.dll
c:\windows\12140no5-a-virzs2419.bin
c:\windows\13b29hze5t30670.dll
c:\windows\14186zack5oo9a5.exe
c:\windows\15105spy4fz9.dll
c:\windows\1521spyware9z43.exe
c:\windows\1542zh9cktool26e5.bin
c:\windows\15802spambo9z925.bin
c:\windows\15823not-9-vir5z6dc.dll
c:\windows\159559zrusa0.bin
c:\windows\190965irus421z.exe
c:\windows\195629ac5toold9z.bin
c:\windows\19z62hacktool559.bin
c:\windows\1b5bthrz9t13791.dll
c:\windows\1z762spam9ot7865.bin
c:\windows\1z876t9o51cb.dll
c:\windows\2026spy9aze5098.exe
c:\windows\205aaddware19z7.bin
c:\windows\26559wzrm279.dll
c:\windows\26z6wor956.bin
c:\windows\2758zha5ktool49d.bin
c:\windows\29z5spy61a.exe
c:\windows\309z6spam5o942d.dll
c:\windows\3695wor53z1.bin
c:\windows\3d1down5zad9r2277.bin
c:\windows\43fzi918215.dll
c:\windows\45d95pywzre460.exe
c:\windows\472da5dzare9409.dll
c:\windows\4846spywar9162z5.exe
c:\windows\4959no9-z-virus6df.exe
c:\windows\4af35dz9are1257.exe
c:\windows\4b8ebzc5do9r96.bin
c:\windows\516z9troj458.dll
c:\windows\5555t9ief309z.bin
c:\windows\55783zroj5859.dll
c:\windows\55cda9zware2481.dll
c:\windows\59afzhreat59861.bin
c:\windows\5z29spywar51333.exe
c:\windows\5z92s9eal2551.exe
c:\windows\63d7d9wnlo5derz857.dll
c:\windows\64a9s5yw9re156z.dll
c:\windows\656bvi5901z.exe
c:\windows\65cfs9ywaze2192.dll
c:\windows\673zthief5279.exe
c:\windows\6991d5wnloader547z.bin
c:\windows\6efdaddwz9e2501.bin
c:\windows\79c35owzloader1206.exe
c:\windows\7z04spyware5590.exe
c:\windows\8297zot-a-viru96495.dll
c:\windows\8935spy7fz.exe
c:\windows\90855spzmbot25b.dll
c:\windows\909v95138z.bin
c:\windows\92652troz508.bin
c:\windows\95175roj2z9.dll
c:\windows\9fd4downloadzr2215.exe
c:\windows\dcast5al299z.exe
c:\windows\e25ad95are271z.exe
c:\windows\system32\11855t5zj219.exe
c:\windows\system32\1266z9iru5d6.dll
c:\windows\system32\1305sp5zare1009.bin
c:\windows\system32\14195zackto5l31e.dll
c:\windows\system32\15071tzoj95d.dll
c:\windows\system32\15356not-z-virus42c9.dll
c:\windows\system32\18944h5ckzool59f.bin
c:\windows\system32\19198hack5ool55z.bin
c:\windows\system32\19457hack9ozl6c4.exe
c:\windows\system32\20899zackt59l4f3.exe
c:\windows\system32\229z9spambot575.bin
c:\windows\system32\24575wo9z55f.exe
c:\windows\system32\256479roj1dz.dll
c:\windows\system32\287z7s95380.bin
c:\windows\system32\29922not-a5virzs429.exe
c:\windows\system32\2b9zaddware5006.dll
c:\windows\system32\2bbcspyw95e155z.bin
c:\windows\system32\2ee6down5o9der960z.exe
c:\windows\system32\2ef25hreaz102029.dll
c:\windows\system32\31f5backdo9rz86.bin
c:\windows\system32\35589wormze1.bin
c:\windows\system32\35c7sz9war52788.exe
c:\windows\system32\361995ealz77.bin
c:\windows\system32\3895zp5mbot2ef.dll
c:\windows\system32\38f9thi5f164z.bin
c:\windows\system32\41cadown95azer1001.exe
c:\windows\system32\4c8bs95wzre3227.exe
c:\windows\system32\4f25hief9z60.exe
c:\windows\system32\4z54addwar92456.dll
c:\windows\system32\52395hrzat28413.bin
c:\windows\system32\5295spyware5z7.bin
c:\windows\system32\5311nzt-a-viru979d.dll
c:\windows\system32\53a9vir227z.dll
c:\windows\system32\5520v591970z.exe
c:\windows\system32\55dzst9al2404.dll
c:\windows\system32\576ca5zwa9e3075.bin
c:\windows\system32\58afspars932z5.bin
c:\windows\system32\59972spzmbot129.exe
c:\windows\system32\59f2sp5rsez01.dll
c:\windows\system32\6418z5rm29e.exe
c:\windows\system32\6553spambzt9e7.exe
c:\windows\system32\69a4azdware29085.bin
c:\windows\system32\69z0h5cktool6d2.exe
c:\windows\system32\6a69spy5are96z.bin
c:\windows\system32\702259dwarz2756.exe
c:\windows\system32\72959hief30z9.dll
c:\windows\system32\7474tr5z5a9.exe
c:\windows\system32\75d4dzwnloade9425.bin
c:\windows\system32\79z3threa520312.exe
c:\windows\system32\7b955tzal449.bin
c:\windows\system32\7c5fthreat19z93.exe
c:\windows\system32\90799not-a-viz5s.exe
c:\windows\system32\921zddwar5512.dll
c:\windows\system32\958dthief29z1.exe
c:\windows\system32\9f64spyware2550z.exe
c:\windows\system32\drivers\$sys$cor.sys
c:\windows\system32\z166troj2395.bin
c:\windows\z09345pambot5e6.exe
c:\windows\z52029py740.bin
c:\windows\z8599sp5mb9t29f.dll
c:\windows\z95565pambot544.exe
c:\windows\za2bspa5se9081.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\LimeWire
c:\program files\LimeWire\.NetworkShare\LimeWirePackedJars4.12.3.7z
c:\program files\LimeWire\.NetworkShare\LimeWirePackedJars4.12.6.7z
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.12.3.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.12.6.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.14.10.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.16.7.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.18.3.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin4.18.8.exe
c:\program files\LimeWire\.NetworkShare\LimeWireWin5.1.2.exe
c:\program files\LimeWire\Buy LimeWire PRO.url
c:\program files\LimeWire\COPYING
c:\program files\LimeWire\data.ser
c:\program files\LimeWire\inspection.props
c:\program files\LimeWire\install.log
c:\program files\LimeWire\language.prop
c:\program files\LimeWire\lib\additional_resources.jar
c:\program files\LimeWire\lib\aopalliance.jar
c:\program files\LimeWire\lib\AppFramework.jar
c:\program files\LimeWire\lib\base64-2.2.2.jar
c:\program files\LimeWire\lib\clink.jar
c:\program files\LimeWire\lib\commons-codec-1.3.jar
c:\program files\LimeWire\lib\commons-logging.jar
c:\program files\LimeWire\lib\commons-math-1.2.jar
c:\program files\LimeWire\lib\daap.jar
c:\program files\LimeWire\lib\dnsjava-2.0.6.jar
c:\program files\LimeWire\lib\EventBus-1.2b.jar
c:\program files\LimeWire\lib\gettext-commons.jar
c:\program files\LimeWire\lib\glazedlists-1.7.0_java15.jar
c:\program files\LimeWire\lib\guice-assistedinject-snapshot.jar
c:\program files\LimeWire\lib\guice-snapshot.jar
c:\program files\LimeWire\lib\hashes
c:\program files\LimeWire\lib\hsqldb.jar
c:\program files\LimeWire\lib\httpclient-4.0-beta1.jar
c:\program files\LimeWire\lib\httpcore-4.0-beta2.jar
c:\program files\LimeWire\lib\httpcore-nio-4.0-beta2.jar
c:\program files\LimeWire\lib\icu4j.jar
c:\program files\LimeWire\lib\iTunes-0.0.1.jar
c:\program files\LimeWire\lib\jacob-1.14.1-x64.dll
c:\program files\LimeWire\lib\jacob-1.14.1-x86.dll
c:\program files\LimeWire\lib\jacob-1.14.1.jar
c:\program files\LimeWire\lib\jaudiotagger.jar
c:\program files\LimeWire\lib\jcip-annotations.jar
c:\program files\LimeWire\lib\jcraft.jar
c:\program files\LimeWire\lib\jdic.dll
c:\program files\LimeWire\lib\jdic.jar
c:\program files\LimeWire\lib\jdic_stub.jar
c:\program files\LimeWire\lib\jflac.jar
c:\program files\LimeWire\lib\jl.jar
c:\program files\LimeWire\lib\jmdns.jar
c:\program files\LimeWire\lib\jna.jar
c:\program files\LimeWire\lib\jogg.jar
c:\program files\LimeWire\lib\jorbis.jar
c:\program files\LimeWire\lib\jxlayer.jar
c:\program files\LimeWire\lib\LimeWire.ico
c:\program files\LimeWire\lib\LimeWire.jar
c:\program files\LimeWire\lib\log4j.jar
c:\program files\LimeWire\lib\log4j.properties
c:\program files\LimeWire\lib\messages.jar
c:\program files\LimeWire\lib\miglayout.jar
c:\program files\LimeWire\lib\mozdom4java.jar
c:\program files\LimeWire\lib\MozillaGlue-1.9.jar
c:\program files\LimeWire\lib\MozillaInterfaces-1.9.jar
c:\program files\LimeWire\lib\mozswing.jar
c:\program files\LimeWire\lib\mp3spi.jar
c:\program files\LimeWire\lib\onion-common.jar
c:\program files\LimeWire\lib\onion-fec.jar
c:\program files\LimeWire\lib\smack.jar
c:\program files\LimeWire\lib\smackx-debug.jar
c:\program files\LimeWire\lib\smackx.jar
c:\program files\LimeWire\lib\swing-worker-1.1.jar
c:\program files\LimeWire\lib\swingx-0.9.4.jar
c:\program files\LimeWire\lib\SystemUtilities.dll
c:\program files\LimeWire\lib\SystemUtilitiesA.dll
c:\program files\LimeWire\lib\tritonus.jar
c:\program files\LimeWire\lib\UnpackedJars.7z
c:\program files\LimeWire\lib\vorbisspi.jar
c:\program files\LimeWire\LimeWire On Startup.lnk
c:\program files\LimeWire\LimeWire.exe
c:\program files\LimeWire\LimeWire.ico
c:\program files\LimeWire\pmf.ico
c:\program files\LimeWire\root\magnet10\badge.img
c:\program files\LimeWire\root\magnet10\canHandle.img
c:\program files\LimeWire\root\magnet10\limewire.gif
c:\program files\LimeWire\root\magnet10\options.js
c:\program files\LimeWire\root\magnet10\silentdetect.js
c:\program files\LimeWire\SOURCE
c:\program files\LimeWire\spacer.gif
c:\program files\LimeWire\uninstall.exe
c:\program files\LimeWire\unpack.log
c:\windows\109299py30z5.dll
c:\windows\12140no5-a-virzs2419.bin
c:\windows\13b29hze5t30670.dll
c:\windows\14186zack5oo9a5.exe
c:\windows\15105spy4fz9.dll
c:\windows\1521spyware9z43.exe
c:\windows\1542zh9cktool26e5.bin
c:\windows\15802spambo9z925.bin
c:\windows\15823not-9-vir5z6dc.dll
c:\windows\159559zrusa0.bin
c:\windows\190965irus421z.exe
c:\windows\195629ac5toold9z.bin
c:\windows\19z62hacktool559.bin
c:\windows\1b5bthrz9t13791.dll
c:\windows\1z762spam9ot7865.bin
c:\windows\1z876t9o51cb.dll
c:\windows\2026spy9aze5098.exe
c:\windows\205aaddware19z7.bin
c:\windows\26559wzrm279.dll
c:\windows\26z6wor956.bin
c:\windows\2758zha5ktool49d.bin
c:\windows\29z5spy61a.exe
c:\windows\309z6spam5o942d.dll
c:\windows\3695wor53z1.bin
c:\windows\3d1down5zad9r2277.bin
c:\windows\43fzi918215.dll
c:\windows\45d95pywzre460.exe
c:\windows\472da5dzare9409.dll
c:\windows\4846spywar9162z5.exe
c:\windows\4959no9-z-virus6df.exe
c:\windows\4af35dz9are1257.exe
c:\windows\4b8ebzc5do9r96.bin
c:\windows\516z9troj458.dll
c:\windows\5555t9ief309z.bin
c:\windows\55783zroj5859.dll
c:\windows\55cda9zware2481.dll
c:\windows\59afzhreat59861.bin
c:\windows\5z29spywar51333.exe
c:\windows\5z92s9eal2551.exe
c:\windows\63d7d9wnlo5derz857.dll
c:\windows\64a9s5yw9re156z.dll
c:\windows\656bvi5901z.exe
c:\windows\65cfs9ywaze2192.dll
c:\windows\673zthief5279.exe
c:\windows\6991d5wnloader547z.bin
c:\windows\6efdaddwz9e2501.bin
c:\windows\79c35owzloader1206.exe
c:\windows\7z04spyware5590.exe
c:\windows\8297zot-a-viru96495.dll
c:\windows\8935spy7fz.exe
c:\windows\90855spzmbot25b.dll
c:\windows\909v95138z.bin
c:\windows\92652troz508.bin
c:\windows\95175roj2z9.dll
c:\windows\9fd4downloadzr2215.exe
c:\windows\dcast5al299z.exe
c:\windows\e25ad95are271z.exe
c:\windows\system32\$sys$filesystem
c:\windows\system32\$sys$filesystem\$sys$parking
c:\windows\system32\$sys$filesystem\crater.sys
c:\windows\system32\$sys$filesystem\DbgHelp.dll
c:\windows\system32\$sys$filesystem\oct.sys
c:\windows\system32\$sys$filesystem\Unicows.dll
c:\windows\system32\11855t5zj219.exe
c:\windows\system32\1266z9iru5d6.dll
c:\windows\system32\1305sp5zare1009.bin
c:\windows\system32\14195zackto5l31e.dll
c:\windows\system32\15071tzoj95d.dll
c:\windows\system32\15356not-z-virus42c9.dll
c:\windows\system32\18944h5ckzool59f.bin
c:\windows\system32\19198hack5ool55z.bin
c:\windows\system32\19457hack9ozl6c4.exe
c:\windows\system32\20899zackt59l4f3.exe
c:\windows\system32\229z9spambot575.bin
c:\windows\system32\24575wo9z55f.exe
c:\windows\system32\256479roj1dz.dll
c:\windows\system32\287z7s95380.bin
c:\windows\system32\29922not-a5virzs429.exe
c:\windows\system32\2b9zaddware5006.dll
c:\windows\system32\2bbcspyw95e155z.bin
c:\windows\system32\2ee6down5o9der960z.exe
c:\windows\system32\2ef25hreaz102029.dll
c:\windows\system32\31f5backdo9rz86.bin
c:\windows\system32\35589wormze1.bin
c:\windows\system32\35c7sz9war52788.exe
c:\windows\system32\361995ealz77.bin
c:\windows\system32\3895zp5mbot2ef.dll
c:\windows\system32\38f9thi5f164z.bin
c:\windows\system32\41cadown95azer1001.exe
c:\windows\system32\4c8bs95wzre3227.exe
c:\windows\system32\4f25hief9z60.exe
c:\windows\system32\4z54addwar92456.dll
c:\windows\system32\52395hrzat28413.bin
c:\windows\system32\5295spyware5z7.bin
c:\windows\system32\5311nzt-a-viru979d.dll
c:\windows\system32\53a9vir227z.dll
c:\windows\system32\5520v591970z.exe
c:\windows\system32\55dzst9al2404.dll
c:\windows\system32\576ca5zwa9e3075.bin
c:\windows\system32\58afspars932z5.bin
c:\windows\system32\59972spzmbot129.exe
c:\windows\system32\59f2sp5rsez01.dll
c:\windows\system32\6418z5rm29e.exe
c:\windows\system32\6553spambzt9e7.exe
c:\windows\system32\69a4azdware29085.bin
c:\windows\system32\69z0h5cktool6d2.exe
c:\windows\system32\6a69spy5are96z.bin
c:\windows\system32\702259dwarz2756.exe
c:\windows\system32\72959hief30z9.dll
c:\windows\system32\7474tr5z5a9.exe
c:\windows\system32\75d4dzwnloade9425.bin
c:\windows\system32\79z3threa520312.exe
c:\windows\system32\7b955tzal449.bin
c:\windows\system32\7c5fthreat19z93.exe
c:\windows\system32\90799not-a-viz5s.exe
c:\windows\system32\921zddwar5512.dll
c:\windows\system32\958dthief29z1.exe
c:\windows\system32\9f64spyware2550z.exe
c:\windows\system32\drivers\$sys$cor.sys
c:\windows\system32\z166troj2395.bin
c:\windows\z09345pambot5e6.exe
c:\windows\z52029py740.bin
c:\windows\z8599sp5mb9t29f.dll
c:\windows\z95565pambot544.exe
c:\windows\za2bspa5se9081.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_$SYS$ARIES
-------\Legacy_$SYS$COR
-------\Legacy_CD_PROXY
-------\Legacy_DMSKSSRH
-------\Legacy_NPF
-------\Service_$sys$cor
-------\Service_$sys$crater
-------\Service_DMSKSSRh


((((((((((((((((((((((((( Files Created from 2009-04-16 to 2009-05-16 )))))))))))))))))))))))))))))))
.

2009-05-16 19:45 . 2009-05-16 19:45 552 ----a-w c:\windows\system32\d3d8caps.dat
2009-05-16 18:03 . 2009-05-16 18:03 -------- d-----w c:\program files\Trend Micro
2009-05-14 13:00 . 2009-05-14 13:00 -------- d-----w c:\documents and settings\Alexis Aiken\Local Settings\Application Data\AIM Toolbar
2009-05-14 12:42 . 2009-05-14 12:42 -------- d-----w c:\program files\Enigma Software Group
2009-05-14 12:18 . 2009-05-14 19:18 -------- d-----w c:\program files\Exterminate It!
2009-05-10 18:38 . 2009-05-14 13:03 -------- d-----w c:\documents and settings\Alexis Aiken\Application Data\GetRightToGo
2009-05-10 18:30 . 2009-05-14 19:21 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-05-10 13:45 . 2009-05-10 13:45 17946 ----a-w c:\windows\2358hacztool3549.dll
2009-05-01 15:37 . 2009-05-01 15:37 -------- d-----w c:\program files\HDQuality
2009-05-01 07:03 . 2009-05-01 07:03 17313 ----a-w c:\windows\system32\31199pywa5ez842.bin
2009-04-27 14:58 . 2009-04-27 14:58 5570 ----a-w c:\windows\system32\5z897spa9bot361.dll
2009-04-27 07:04 . 2009-04-27 07:04 15848 ----a-w c:\windows\15617no9-a-virzs5d.bin
2009-04-26 19:18 . 2009-04-26 19:18 15243 ----a-w c:\windows\system32\18155z5r94a3.exe
2009-04-25 06:40 . 2009-04-25 06:40 9162 ----a-w c:\windows\system32\557addware929z.bin
2009-04-24 17:27 . 2009-04-24 17:27 4754 ----a-w c:\windows\30570z5rm393.bin
2009-04-24 03:38 . 2009-04-24 03:38 3835 ----a-w c:\windows\system32\6c99vzr2415.bin
2009-04-22 13:31 . 2009-04-22 13:31 13397 ----a-w c:\windows\system32\2154spzr9e330.bin
2009-04-19 19:05 . 2009-04-19 19:05 3392 ----a-w c:\windows\129z9ha5ktool759.exe
2009-04-19 12:23 . 2009-04-19 12:23 13921 ----a-w c:\windows\4479sparsz615.exe
2009-04-18 13:47 . 2009-04-18 13:47 6092 ----a-w c:\windows\system32\45149ot5a-virusz48.bin
2009-04-17 00:18 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-17 00:18 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-17 00:18 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-17 00:18 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-17 00:18 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-17 00:18 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-17 00:18 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-17 00:18 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-17 00:18 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-17 00:18 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-17 00:18 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-17 00:18 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-16 20:50 . 2009-02-28 01:24 -------- d-----w c:\program files\Symantec AntiVirus
2009-05-16 18:30 . 2005-12-07 16:49 -------- d-----w c:\program files\Viewpoint
2009-05-14 23:04 . 2007-07-09 16:26 664 ----a-w c:\windows\system32\d3d9caps.dat
2009-05-10 13:45 . 2009-05-10 13:45 8820 ----a-w c:\windows\system32\5bf2st5al1952z.dll
2009-05-07 23:33 . 2006-01-14 03:56 104 --sh--r c:\windows\system32\B993D92FBE.sys
2009-05-07 23:33 . 2006-01-14 03:56 7518 --sha-w c:\windows\system32\KGyGaAvL.sys
2009-04-13 01:40 . 2009-04-13 01:40 8230 ----a-w c:\windows\system32\1805not-z-vi9u589.exe
2009-04-11 18:25 . 2009-04-11 18:25 9422 ----a-w c:\windows\system32\174059ozmf5.dll
2009-04-11 18:18 . 2005-12-07 16:41 -------- d-----w c:\program files\Java
2009-04-10 21:36 . 2009-04-10 21:36 6077 ----a-w c:\windows\system32\21650viru599dz.dll
2009-04-09 17:20 . 2009-04-09 17:20 6406 ----a-w c:\windows\52327hac9tool667z.dll
2009-04-09 02:32 . 2009-04-09 02:32 6522 ----a-w c:\windows\system32\5519spa5bot5f4z.exe
2009-04-08 16:56 . 2009-04-08 16:56 7491 ----a-w c:\windows\100cadz59re1811.bin
2009-04-07 16:27 . 2009-04-07 16:27 2767 ----a-w c:\windows\zb93addware2564.exe
2009-04-07 03:03 . 2009-04-07 03:03 16839 ----a-w c:\windows\system32\673fad5warez94.exe
2009-04-07 00:17 . 2009-04-07 00:16 -------- d-----w c:\program files\iTunes
2009-04-07 00:16 . 2007-06-30 15:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 08:54 . 2009-04-06 08:54 16725 ----a-w c:\windows\system32\6e57s5eal9195z.bin
2009-04-05 00:37 . 2009-04-05 00:37 17306 ----a-w c:\windows\system32\2ac6zp5rs91684.dll
2009-04-02 11:14 . 2009-04-02 11:14 13554 ----a-w c:\windows\system32\78225iz491.bin
2009-04-01 11:15 . 2009-04-01 11:15 6417 ----a-w c:\windows\5cdaspy9ar5111z.dll
2009-03-28 21:21 . 2009-03-28 21:21 10181 ----a-w c:\windows\20692hackt5ol11z.exe
2009-03-26 21:25 . 2009-03-26 21:25 6848 ----a-w c:\windows\system32\12681not9a-viru563z.dll
2009-03-25 03:18 . 2009-03-25 03:18 16199 ----a-w c:\windows\system32\519zadd9are1511.bin
2009-03-24 15:10 . 2009-03-24 15:10 4085 ----a-w c:\windows\system32\193995acztool4c6.dll
2009-03-24 10:46 . 2009-03-24 10:46 15603 ----a-w c:\windows\system32\2302vi928z5.exe
2009-03-24 03:32 . 2009-03-24 03:32 14796 ----a-w c:\windows\system32\3ff9thi5f26z4.bin
2009-03-22 15:58 . 2009-03-22 15:58 3405 ----a-w c:\windows\51964spyz92.exe
2009-03-20 10:59 . 2009-03-20 10:59 8986 ----a-w c:\windows\789a95arsz2235.exe
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-15 13:46 . 2009-03-15 13:46 8759 ----a-w c:\windows\30729zars5793.dll
2009-03-14 21:21 . 2009-03-14 21:21 5197 ----a-w c:\windows\b9fzir9095.exe
2009-03-14 12:28 . 2009-03-14 12:28 3043 ----a-w c:\windows\5c58addwaze9299.dll
2009-03-11 03:40 . 2009-03-11 03:40 15784 ----a-w c:\windows\13c5i9z113.exe
2009-03-09 20:15 . 2009-03-09 20:15 15513 ----a-w c:\windows\system32\241adz9nloader2305.bin
2009-03-09 10:19 . 2008-12-07 00:51 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 16:20 . 2009-03-08 16:20 16135 ----a-w c:\windows\z6353hac5too963d.bin
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-04 09:49 . 2009-03-04 09:49 10618 ----a-w c:\windows\99z5spy416.exe
2009-03-03 00:18 . 2005-08-16 10:18 826368 ----a-w c:\windows\system32\wininet.dll
2009-03-02 00:28 . 2009-03-02 00:28 13526 ----a-w c:\windows\5f58thief9809z.exe
2009-03-01 05:13 . 2009-03-01 05:13 16469 ----a-w c:\windows\system32\1e2t5iez9396.exe
2009-02-28 13:28 . 2009-02-28 13:28 6237 ----a-w c:\windows\system32\65f2bzckdoo93507.bin
2009-02-28 10:01 . 2009-02-28 10:01 17300 ----a-w c:\windows\system32\69cethief27z5.dll
2009-02-25 02:56 . 2009-02-25 02:56 8954 ----a-w c:\windows\system32\569ddownloadz9177.exe
2009-02-20 18:09 . 2005-08-16 10:18 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-18 00:54 . 2009-02-18 00:54 14097 ----a-w c:\windows\6z5f5ddwar93091.exe
2009-02-17 23:42 . 2009-02-17 23:42 5981 ----a-w c:\windows\22761tzoj9a25.bin
2009-02-16 17:36 . 2009-02-16 17:36 17330 ----a-w c:\windows\system32\1f2bbac9d5oz2043.exe
2006-06-19 21:05 . 2006-05-13 14:28 88 --sh--r c:\windows\system32\BE2FD993B9.sys
2006-01-05 23:38 . 2006-01-05 23:23 214722 --sha-w c:\windows\system32\vybeg.tmp
.

((((((((((((((((((((((((((((( SnapShot@2009-05-16_20.00.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-16 20:49 . 2009-05-16 20:49 16384 c:\windows\temp\Perflib_Perfdata_780.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell QuickSet"="c:\progra~1\Dell\QuickSet\quickset.exe" [2005-09-01 684032]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-06-10 249856]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-06-15 124656]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 2:40 AM 115952]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:10 PM 101936]

--- Other Services/Drivers In Memory ---

*Deregistered* - SSDPSRV
*Deregistered* - Symantec AntiVirus
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - WLANKEEPER
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = www.aol.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Alexis Aiken\Start Menu\Programs\IMVU\Run IMVU.lnk
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-16 15:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3032532240-2312588317-637582772-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1092)
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(2352)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\documents and settings\Alexis Aiken\My Documents\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-05-16 16:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-16 21:03
ComboFix2.txt 2009-05-16 20:10

Pre-Run: 4,314,927,104 bytes free
Post-Run: 3,726,856,192 bytes free

572 --- E O F --- 2009-04-18 13:03

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

File::
c:\windows\2358hacztool3549.dll
c:\windows\system32\31199pywa5ez842.bin
c:\windows\system32\5z897spa9bot361.dll
c:\windows\15617no9-a-virzs5d.bin
c:\windows\system32\18155z5r94a3.exe
c:\windows\system32\557addware929z.bin
c:\windows\30570z5rm393.bin
c:\windows\system32\6c99vzr2415.bin
c:\windows\system32\2154spzr9e330.bin
c:\windows\129z9ha5ktool759.exe
c:\windows\4479sparsz615.exe
c:\windows\system32\45149ot5a-virusz48.bin
c:\windows\system32\1805not-z-vi9u589.exe
c:\windows\system32\174059ozmf5.dll
c:\windows\system32\21650viru599dz.dll
c:\windows\52327hac9tool667z.dll
c:\windows\system32\5519spa5bot5f4z.exe
c:\windows\100cadz59re1811.bin
c:\windows\zb93addware2564.exe
c:\windows\system32\673fad5warez94.exe
c:\windows\system32\6e57s5eal9195z.bin
c:\windows\system32\2ac6zp5rs91684.dll
c:\windows\system32\78225iz491.bin
c:\windows\5cdaspy9ar5111z.dll
c:\windows\20692hackt5ol11z.exe
c:\windows\system32\12681not9a-viru563z.dll
c:\windows\system32\519zadd9are1511.bin
c:\windows\system32\193995acztool4c6.dll
c:\windows\system32\2302vi928z5.exe
c:\windows\system32\3ff9thi5f26z4.bin
c:\windows\51964spyz92.exe
c:\windows\789a95arsz2235.exe
c:\windows\30729zars5793.dll
c:\windows\b9fzir9095.exe
c:\windows\5c58addwaze9299.dll
c:\windows\13c5i9z113.exe
c:\windows\system32\241adz9nloader2305.bin
c:\windows\z6353hac5too963d.bin
c:\windows\99z5spy416.exe
c:\windows\5f58thief9809z.exe
c:\windows\system32\1e2t5iez9396.exe
c:\windows\system32\65f2bzckdoo93507.bin
c:\windows\system32\69cethief27z5.dll
c:\windows\system32\569ddownloadz9177.exe
c:\windows\6z5f5ddwar93091.exe
c:\windows\22761tzoj9a25.bin
c:\windows\system32\1f2bbac9d5oz2043.exe
c:\windows\system32\vybeg.tmp

Folder::
c:\program files\Viewpoint

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.