Little help required please

downloaded a video file and played through windows media player....wmp downloaded some codec forgot what called but i removed from add/remove programs urgently

since that happened when i go on to google and search for something i get the normal list of links for what i have searched....i then click on the 1st link and it opens up a new window (use to open in same window) but 1st time it goes to some site completley different i could search arsenal when i click that link for www.arsenal.com opens up a new window and goes to youtube and starts playing girls aloud or it will open up a myspace page .....so firstly its opening up in a new windown leaving the 1st window with the searched items there ODD....and 2ndly its opening up random other sites strange...

i came to a site that said to download MALWAREBYTES click the link for it and get ERROR PAGE CANNOT BE FOUND
try bout 10 different links from 10 different places and all the same no page can be found...
installed malwarebytes finally and now wont open
installing spybot search and destroy from disc and from the internet...crashes laptop gives blue memory dump screen
went on microsoft website tryed download malicious software removal tool all i got was page cannot be found
i try install avg all i get is an error at the end
try open kaspersky links to download or install all i get is page not found
seems anything that will help remove whatever i got is blocked

any help would be appreciated many thanks in advance

any information required please ask i will get for you thanks

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

hi thanks for quick reply
i did as u said 1st time it crashed me to blue memory dump screen
2nd time it installed its there in program files etc
i double click it but it WONT open up

Find Hijack This inside the Trend Micro folder in Program Files.
Right click > Rename.

Rename it to whatever you want to, but doesn't what it's called.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:43, on 31/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Users\LISA4J~1\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\LManager.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE
C:\Windows\system32\igfxext.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Windows\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE
C:\Program Files\Trend Micro\HijackThis\eatshit.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.uk.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.uk.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [SetPanel] C:\Acer\APanel\APanel.cmd
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (User 'Default user')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS1\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CS2\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: Symantec Eraser Service (EraserSvc10910) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: Google Update Service (gupdate1c9c348f584b505) (gupdate1c9c348f584b505) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8355 bytes

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
  R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
  R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  R3 - URLSearchHook: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
  O1 - Hosts: ::1 localhost
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O2 - BHO: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
  O3 - Toolbar: TorrentMan Toolbar - {7c5c0f58-e061-457d-9033-77307f5ed00c} - C:\Program Files\TorrentMan\tbTorr.dll
  O17 - HKLM\System\CCS\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
  O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
  O17 - HKLM\System\CS1\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
  O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
  O17 - HKLM\System\CS2\Services\Tcpip\..\{2AEC3DE6-CA55-4741-9B18-3F7B52AAA50A}: NameServer = 85.255.112.69,85.255.112.209
  O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.69,85.255.112.209
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV..

• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

when i click on that combofix link it comes up to run or save i click save and nothing happens just closes the box
click run it goes as if going through then nothing happens

i did the other part fixed the ones with hijack this

Ok please do the following:

• Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
  Link 1
  Link 2
  
• Double click DDS.scr to run.
  
• When complete, two logs will open. Save both of the report to your Desktop.
  
• Copy and paste DDS.txt back here, I don't need to see attach.txt.
  

same happens with this

Alright let see if this works, if not we are going to be doing some things in safe mode


1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

Note: This tool was posted specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Leave the script box empty.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

that wouldnt work also so im guna download avenger on my pc and send to the laptop via msn and do it tht way


AVENGER done just waiting for reboot now and will grab the logfile for you

Last edited by fubar1010 on 31st May 2009, 6:58 pm; edited 1 time in total (Reason for editing : save space :p)

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gxvxcserv.sys" found!
ImagePath: \systemroot\system32\drivers\gxvxccqipppmqfuxhuwiyfnmxwwkybeifmnxm.sys
Driver disabled successfully.

Rootkit scan completed.


Completed script processing.

*******************

Finished! Terminate.

1. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
gxvxcserv.sys

Files to delete:
C:\WINDOWS\system32\drivers\gxvxccqipppmqfuxhuwiyfnmxwwkybeifmnxm.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

2. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

3. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "gxvxcserv.sys" deleted successfully.
File "C:\WINDOWS\system32\drivers\gxvxccqipppmqfuxhuwiyfnmxwwkybeifmnxm.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hello.
Try running Combofix now.

ComboFix 09-05-30.06 - lisa4jock 31/05/2009 21:10.1 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.2037.1133 [GMT 1:00]
Running from: c:\users\lisa4jock\Desktop\Combo-Fix.exe
AV: AVG 7.5.560 *On-access scanning disabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
FW: AVG Firewall 7.5.500 *enabled* {8DECF618-9569-4340-B34A-D78D28969B66}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\system32\gxvxcngpvnpeeqfvcpsbroktnmesthcjqjtfb.dll
c:\windows\system32\gxvxcvuesoqkbleifplwrnqnhoboiwyubcqjb.dll
c:\windows\system32\x64
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

.
((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 20:13 . 2009-05-31 20:14 -------- d-----w- c:\users\lisa4jock\AppData\Local\temp
2009-05-31 19:46 . 2009-05-31 19:46 24064 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\install.1\avgwlx64.dll
2009-05-31 19:46 . 2009-05-31 19:46 17928 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\install.1\avgclnit.sys
2009-05-31 19:46 . 2009-05-31 19:46 13832 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\install.1\avgcln64.sys
2009-05-31 19:46 . 2009-05-31 19:46 40448 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\install.1\avgwli64.dll
2009-05-31 19:46 . 2009-05-31 19:46 36352 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\install.1\avgsea64.dll
2009-05-31 19:33 . 2009-05-31 19:19 55304 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgwfp.sys
2009-05-31 19:33 . 2009-05-31 19:19 905728 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgctrl.dll
2009-05-31 19:33 . 2009-05-31 19:19 582656 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgcckrn.dll
2009-05-31 19:33 . 2009-05-31 19:19 579072 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgcc.exe
2009-05-31 19:33 . 2009-05-31 19:19 510976 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avginet.exe
2009-05-31 19:33 . 2009-05-31 19:19 389632 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgvv.exe
2009-05-31 19:33 . 2009-05-31 19:19 131072 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avginet.dll
2009-05-31 19:33 . 2009-05-31 19:19 1282560 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgres.dll
2009-05-31 19:33 . 2009-05-31 19:19 435712 ----a-w- c:\programdata\Grisoft\Avg7Data\avg7upd\backup\avgabout.dll
2009-05-31 19:20 . 2009-05-31 19:30 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\AVG7
2009-05-31 19:20 . 2009-05-31 19:20 9216 ----a-w- c:\windows\system32\avgwlntf.dll
2009-05-31 19:19 . 2009-05-31 19:19 10760 ----a-w- c:\windows\system32\drivers\avgclean.sys
2009-05-31 19:19 . 2009-05-31 19:47 53768 ----a-w- c:\windows\system32\drivers\avgwfp.sys
2009-05-31 19:19 . 2009-05-31 19:19 821856 ----a-w- c:\windows\system32\drivers\avg7core.sys
2009-05-31 19:19 . 2009-05-31 19:19 4224 ----a-w- c:\windows\system32\drivers\avg7rsw.sys
2009-05-31 19:19 . 2009-05-31 19:19 27776 ----a-w- c:\windows\system32\drivers\avg7rsxp.sys
2009-05-31 19:19 . 2009-05-31 19:19 26952 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-31 19:19 . 2009-05-31 20:03 -------- d-----w- c:\programdata\avg7
2009-05-31 19:19 . 2009-05-31 19:19 -------- d-----w- c:\programdata\Grisoft
2009-05-31 16:53 . 2009-05-31 16:53 -------- d-----w- c:\program files\Trend Micro
2009-05-31 10:46 . 2009-05-31 10:46 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\Lavasoft
2009-05-31 10:46 . 2009-05-31 10:46 -------- d-----w- c:\program files\Lavasoft
2009-05-31 10:42 . 2003-10-15 22:42 150528 ----a-w- c:\windows\unSpySweeper.exe
2009-05-31 10:42 . 2009-05-31 10:42 -------- d-----w- c:\program files\Webroot
2009-05-31 10:39 . 2009-05-31 10:39 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-31 10:34 . 2009-05-31 10:35 -------- d-----w- c:\program files\SpywareBlaster
2009-05-31 10:19 . 2009-05-31 10:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 23:57 . 2009-05-28 23:57 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-05-28 23:49 . 2009-05-28 23:49 -------- d-----w- c:\program files\AVG
2009-05-28 23:32 . 2009-05-28 23:32 -------- d-----w- c:\programdata\NortonInstaller
2009-05-22 16:59 . 2008-04-12 03:32 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-05-22 16:59 . 2008-04-26 08:26 891448 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-05-22 16:59 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-05-22 16:59 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-05-21 19:27 . 2009-05-21 19:27 -------- d-----w- C:\PerfLogs
2009-05-13 23:40 . 2009-05-13 23:40 -------- d-----w- c:\users\lisa4jock\AppData\Local\Activision
2009-05-13 23:35 . 2009-05-13 23:51 -------- d-----w- C:\cod waw
2009-05-13 23:33 . 2009-05-13 23:33 -------- d-----w- c:\program files\MagicISO
2009-05-13 20:30 . 2009-05-13 20:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-03 14:54 . 2009-05-28 11:11 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-31 18:08 . 2009-04-19 20:16 -------- d-----w- c:\program files\TorrentMan
2009-05-31 11:17 . 2009-04-19 20:48 -------- d-----w- c:\program files\BearShare
2009-05-31 10:32 . 2009-04-19 17:52 -------- d-----w- c:\program files\Yahoo!
2009-05-27 12:30 . 2009-05-27 12:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-05-21 19:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-05-21 19:27 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-21 19:05 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-05-21 19:05 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-05-13 02:05 . 2007-07-26 03:06 -------- d-----w- c:\programdata\Microsoft Help
2009-04-30 15:28 . 2009-04-30 15:28 -------- d-----w- c:\program files\DFX
2009-04-30 13:29 . 2009-04-30 13:29 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-04-30 13:20 . 2009-04-30 13:20 -------- d-----w- c:\programdata\DFX
2009-04-30 13:20 . 2009-04-30 13:20 -------- d-----w- c:\program files\Common Files\DFX
2009-04-25 22:13 . 2009-04-25 22:13 782664 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-04-22 12:51 . 2009-04-22 12:50 -------- d-----w- c:\program files\Google
2009-04-22 12:50 . 2009-04-22 12:50 -------- d-----w- c:\program files\DivX
2009-04-22 12:50 . 2009-04-22 12:50 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-22 12:31 . 2009-04-22 11:45 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\vlc
2009-04-22 11:44 . 2009-04-22 11:44 -------- d-----w- c:\program files\VideoLAN
2009-04-22 08:56 . 2009-04-22 08:56 269312 ----a-w- c:\windows\system32\es.dll
2009-04-22 08:52 . 2007-07-26 03:10 -------- d-----w- c:\program files\Microsoft Works
2009-04-20 20:41 . 2009-04-20 20:41 1915520 ----a-w- c:\users\lisa4jock\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-20 11:02 . 2009-04-20 11:02 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-04-20 11:02 . 2009-04-20 11:02 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-04-20 11:02 . 2009-04-20 11:02 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-04-20 11:02 . 2009-04-20 11:02 272896 ----a-w- c:\windows\system32\polstore.dll
2009-04-20 10:59 . 2009-04-20 10:59 94720 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-04-20 10:59 . 2009-04-20 10:59 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-04-20 10:59 . 2009-04-20 10:59 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-04-20 10:51 . 2009-04-20 10:51 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-04-20 10:50 . 2009-04-20 10:50 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-04-20 10:47 . 2009-04-20 10:47 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-20 10:46 . 2009-04-20 10:46 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-04-20 10:46 . 2009-04-20 10:46 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-04-20 10:43 . 2009-04-20 10:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-04-20 10:43 . 2009-04-20 10:43 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-04-20 10:43 . 2009-04-20 10:43 1695744 ----a-w- c:\windows\system32\gameux.dll
2009-04-20 10:41 . 2009-04-20 10:41 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-04-20 10:40 . 2009-04-20 10:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-04-20 10:40 . 2009-04-20 10:40 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-04-20 02:29 . 2009-04-20 02:29 3 ----a-w- c:\windows\AFirst.cmd
2009-04-20 02:04 . 2009-04-20 02:04 2048 ----a-w- c:\windows\system32\tzres.dll
2009-04-20 02:02 . 2009-04-20 02:02 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-04-20 02:02 . 2009-04-20 02:02 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-20 02:00 . 2009-04-20 02:00 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-20 02:00 . 2009-04-20 02:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-04-20 02:00 . 2009-04-20 02:00 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-04-20 01:53 . 2009-04-20 01:53 2927104 ----a-w- c:\windows\explorer.exe
2009-04-20 01:45 . 2009-04-20 01:45 5071872 ----a-w- c:\windows\system32\NlsModels0011.dll
2009-04-20 01:41 . 2009-04-20 01:41 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-04-20 01:41 . 2009-04-20 01:41 988216 ----a-w- c:\windows\system32\winload.exe
2009-04-20 01:41 . 2009-04-20 01:41 927288 ----a-w- c:\windows\system32\winresume.exe
2009-04-20 01:41 . 2009-04-20 01:41 40960 ----a-w- c:\windows\system32\srclient.dll
2009-04-20 01:41 . 2009-04-20 01:41 378368 ----a-w- c:\windows\system32\srcore.dll
2009-04-20 01:41 . 2009-04-20 01:41 318464 ----a-w- c:\windows\system32\rstrui.exe
2009-04-20 01:41 . 2009-04-20 01:41 14848 ----a-w- c:\windows\system32\srdelayed.exe
2009-04-20 01:41 . 2009-04-20 01:41 46592 ----a-w- c:\windows\system32\setbcdlocale.dll
2009-04-20 01:41 . 2009-04-20 01:41 19000 ----a-w- c:\windows\system32\kd1394.dll
2009-04-20 01:41 . 2009-04-20 01:41 615992 ----a-w- c:\windows\system32\ci.dll
2009-04-20 01:35 . 2009-04-20 01:35 441400 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-04-20 01:35 . 2009-04-20 01:35 9728 ----a-w- c:\windows\system32\lsass.exe
2009-04-20 01:35 . 2009-04-20 01:35 72704 ----a-w- c:\windows\system32\secur32.dll
2009-04-20 01:35 . 2009-04-20 01:35 1255936 ----a-w- c:\windows\system32\lsasrv.dll
2009-04-20 01:35 . 2009-04-20 01:35 24064 ----a-w- c:\windows\system32\amxread.dll
2009-04-20 01:35 . 2009-04-20 01:35 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-04-20 01:33 . 2009-04-20 01:33 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-04-20 01:33 . 2009-04-20 01:33 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-04-20 01:33 . 2009-04-20 01:33 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-04-20 01:30 . 2009-04-20 01:30 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-04-20 01:30 . 2009-04-20 01:30 37888 ----a-w- c:\windows\system32\printcom.dll
2009-04-20 01:29 . 2009-04-20 01:29 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-20 01:29 . 2009-04-20 01:29 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-04-20 01:26 . 2009-04-20 01:26 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-20 01:23 . 2009-04-20 01:23 268288 ----a-w- c:\windows\system32\schannel.dll
2009-04-20 01:19 . 2009-04-20 01:19 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-04-20 01:19 . 2009-04-20 01:19 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-04-20 01:19 . 2009-04-20 01:19 11264 ----a-w- c:\windows\system32\icardres.dll
2009-04-20 01:19 . 2009-04-20 01:19 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-20 01:19 . 2009-04-20 01:19 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-04-20 01:19 . 2009-04-20 01:19 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-04-20 01:19 . 2009-04-20 01:19 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-20 00:59 . 2009-04-20 00:59 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-04-20 00:59 . 2009-04-20 00:59 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-04-20 00:59 . 2009-04-20 00:59 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-04-20 00:59 . 2009-04-20 00:59 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-04-20 00:59 . 2009-04-20 00:59 83968 ----a-w- c:\windows\system32\mscories.dll
2009-04-20 00:28 . 2009-04-20 00:28 2868736 ----a-w- c:\windows\system32\mf.dll
2009-04-20 00:28 . 2009-04-20 00:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-04-20 00:28 . 2009-04-20 00:28 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2009-04-20 00:28 . 2009-04-20 00:28 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-04-20 00:28 . 2009-04-20 00:28 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-20 00:28 . 2009-04-20 00:28 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-04-20 00:28 . 2009-04-20 00:28 94720 ----a-w- c:\windows\system32\logagent.exe
2009-04-20 00:25 . 2009-04-20 00:25 84480 ----a-w- c:\windows\system32\INETRES.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 665088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25 138008]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-16 768520]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-05-31 590848]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2009-05-31 219136]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-26 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
2009-05-31 19:20 9216 ----a-w- c:\windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B865A331-0198-4E67-8AB0-0829040F707B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FFF9EBCC-F1FB-45DC-A85F-F986FB6DFA59}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{25F9255C-1FAF-4FA3-AC26-B879D92A7D65}c:\\program files\\bitlord\\bitlord.exe"= UDP:c:\program files\bitlord\bitlord.exe:BitLord
"UDP Query User{53034FAF-AAE8-4C56-8FF6-E69489D0F6D0}c:\\program files\\bitlord\\bitlord.exe"= TCP:c:\program files\bitlord\bitlord.exe:BitLord
"{32FA88CD-192C-4F63-987C-0D79E983CABF}"= UDP:6348:bearshare
"{CB2013E6-2A20-4A44-9A3C-7FCDE8A34ED2}"= UDP:c:\program files\BearShare\BearShare.exe:BearShare
"{E246F5EF-E3E1-4611-A971-8186B8B4F637}"= TCP:c:\program files\BearShare\BearShare.exe:BearShare
"{4CD597D5-5A45-4277-9877-B0316A6EA517}"= UDP:c:\users\lisa4jock\AppData\Local\Temp\7zSA06C.tmp\SymNRT.exe:Norton Removal Tool
"{349838E8-AF51-466D-8EED-A5D624D21C7B}"= TCP:c:\users\lisa4jock\AppData\Local\Temp\7zSA06C.tmp\SymNRT.exe:Norton Removal Tool

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 AVGFw2kv;AVG Firewall Service;c:\progra~1\Grisoft\AVG7\avgfw2kv.exe [31/05/2009 20:19 793600]
R3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\drivers\avgwfp.sys [31/05/2009 20:19 53768]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [26/07/2007 02:02 179712]
S2 EraserSvc10910;Symantec Eraser Service;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon --> c:\program files\Common Files\Symantec Shared\ccSvcHst.exe [?]
S2 gupdate1c9c348f584b505;Google Update Service (gupdate1c9c348f584b505);c:\program files\Google\Update\GoogleUpdate.exe [22/04/2009 13:50 133104]
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 12:50]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Acer Tour Reminder - (no file)
HKLM-Run-SetPanel - c:\acer\APanel\APanel.cmd
HKLM-Run-Acer Tour - (no file)
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 21:14
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\System32\eNetHook.dll

- - - - - - - > 'lsass.exe'(704)
c:\windows\System32\eNetHook.dll
.
Completion time: 2009-05-31 21:15
ComboFix-quarantined-files.txt 2009-05-31 20:15

Pre-Run: 22,170,292,224 bytes free
Post-Run: 22,429,052,928 bytes free

283 --- E O F --- 2009-05-31 18:54

Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

• BearShare
  
• BitLord
  
• TorrentMan
  
• TorrentMan Toolbar
  

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
EraserSvc10910

Folder::
c:\program files\TorrentMan
c:\program files\BearShare
c:\program files\bitlord

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{25F9255C-1FAF-4FA3-AC26-B879D92A7D65}c:\\program files\\bitlord\\bitlord.exe"=-
"UDP Query User{53034FAF-AAE8-4C56-8FF6-E69489D0F6D0}c:\\program files\\bitlord\\bitlord.exe"=-
"{32FA88CD-192C-4F63-987C-0D79E983CABF}"=-
"{CB2013E6-2A20-4A44-9A3C-7FCDE8A34ED2}"=-
"{E246F5EF-E3E1-4611-A971-8186B8B4F637}"=-
"{4CD597D5-5A45-4277-9877-B0316A6EA517}"=-
"{349838E8-AF51-466D-8EED-A5D624D21C7B}"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-05-30.06 - lisa4jock 31/05/2009 21:41.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.44.1033.18.2037.1148 [GMT 1:00]
Running from: c:\users\lisa4jock\Desktop\Combo-Fix.exe
Command switches used :: c:\users\lisa4jock\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BearShare
c:\program files\BearShare\BearShare.dat
c:\program files\BearShare\db\config.bin
c:\program files\BearShare\db\gwebcache.dat
c:\program files\BearShare\db\Hostiles-Chat.txt
c:\program files\BearShare\db\Hostiles.txt
c:\program files\BearShare\db\library.2.db
c:\program files\BearShare\db\library.2.db.lastgoodload.bak
c:\program files\BearShare\db\library.db
c:\program files\BearShare\db\library.db.lastgoodload.bak
c:\program files\BearShare\db\searches.ini
c:\program files\BearShare\FreePeers.ini
c:\program files\BearShare\Logs\hosts-state.txt
c:\program files\BearShare\Logs\memory.txt
c:\program files\BearShare\Logs\ordinal.txt
c:\program files\BearShare\Logs\streams.txt
c:\program files\BearShare\Temp\TMPBSInstall5.2.5.1.dat
c:\program files\BearShare\Temp\TMPBSInstall5.2.5.1.dat.bak
c:\program files\bitlord
c:\program files\bitlord\Downloads\AlbumArtSmall.jpg
c:\program files\bitlord\Downloads\Angels and Demons (2009) ENGLISH CAM XviD-MAXSPEED\Angels and Demons (2009) ENGLISH CAM XviD-MAXSPEED\Angels and Demons (2009) ENGLISH CAM XviD-MAXSPEED www.torentz.3xforum.ro.avi
c:\program files\bitlord\Downloads\AVG Antivirus+Firewall & Anti-Spyware [AVG Internet Security]\AVG Serial.txt
c:\program files\bitlord\Downloads\AVG Antivirus+Firewall & Anti-Spyware [AVG Internet Security]\avg75f_516a1225.exe
c:\program files\bitlord\Downloads\AVG Antivirus+Firewall & Anti-Spyware [AVG Internet Security]\avgas-setup-7.5.1.43.exe
c:\program files\bitlord\Downloads\AVG Antivirus+Firewall & Anti-Spyware [AVG Internet Security]\Instruction.txt
c:\program files\bitlord\Downloads\AVG Antivirus+Firewall & Anti-Spyware [AVG Internet Security]\SSG keygen.exe
c:\program files\bitlord\Downloads\AVG Internet Security 8.0 + serial (EXPIRES YEAR 2018) (CLEAN) [blaze69]\avg_iswt_stf_all_8_199a1387.exe
c:\program files\bitlord\Downloads\AVG Internet Security 8.0 + serial (EXPIRES YEAR 2018) (CLEAN) [blaze69]\Serial.txt
c:\program files\bitlord\Downloads\City.Rats.2009.DVDRip.XviD-GFW.[www.FilmsBT.com]\City.Rats.2009.DVDRip.XviD-GFW.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E01.REAL.PROPER.HDTV.XviD-aAF.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E02.HDTV.XviD-0TV.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E03.HDTV.XviD-NoTV.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E04.HDTV.XviD-0TV.[VTV].avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E05.HDTV.XviD-0TV.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E06.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E07.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E08.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E09.HDTV.XviD-0TV.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E10.HDTV.XviD-0TV.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E11.HDTV.XviD-aAF.avi
c:\program files\bitlord\Downloads\dexter season 3\Dexter.S03E12.HDTV.XviD-aAF.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.105.hdtv.xvid-notv.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.106.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.107.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.108.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.109.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.110.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\Dexter.111.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\Dexter.S01\dexter.112.hdtv-lol.avi
c:\program files\bitlord\Downloads\Dexter.S01\ehthumbs_vista.db
c:\program files\bitlord\Downloads\ehthumbs_vista.db
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E03.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E04.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E05.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E06.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E07.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E08.HDTV.XvID-NoTV.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E09.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E10.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E11.Everybody.Hates.Mr.Levine.HDTV.XviD-FQM.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E12.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E13.HDTV.XviD-NoTV.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E15.HDTV.XviD-NoTV.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E16.Everybody.Hates.Lasagna.HDTV.XviD-FQM.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E17.Everybody.Hates.Spring.Break.HDTV.XviD-FQM.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E18.Everybody.Hates.the.Car.HDTV.XviD-FQM.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E19.Everybody.Hates.Back.Talk.HDTV.XviD-FQM.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E20.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E21.HDTV.XviD-2HD.avi
c:\program files\bitlord\Downloads\everybody hates chris\Everybody.Hates.Chris.S04E22.HDTV.XviD-LOL.avi
c:\program files\bitlord\Downloads\Folder.jpg
c:\program files\bitlord\Downloads\Gnaw.2009.DVDRIP.XviD\Gnaw.2009.DVDRIP.XviD-ZEKTORM.avi
c:\program files\bitlord\Downloads\Laid.To.Rest.2009.DVDRip.XviD\Laid.To.Rest.2009.DVDRip.XviD-MoH.avi
c:\program files\bitlord\Downloads\Lost.S05.A.Journey.In.Time.Recap.Special.HDTV.XviD-2HD.avi
c:\program files\bitlord\Downloads\The Devils Tomb 2009 dvd rip XviD.Rets\The Devils Tomb\The Devils Tomb 2009.avi
c:\program files\bitlord\lang\lang_ar_ae.xml
c:\program files\bitlord\lang\lang_bg_bg.xml
c:\program files\bitlord\lang\lang_ca_es.xml
c:\program files\bitlord\lang\lang_cz_cz.xml
c:\program files\bitlord\lang\lang_da_dk.xml
c:\program files\bitlord\lang\lang_de_de.xml
c:\program files\bitlord\lang\lang_el_gr.xml
c:\program files\bitlord\lang\lang_en_us.xml
c:\program files\bitlord\lang\lang_es_ar.xml
c:\program files\bitlord\lang\lang_es_es.xml
c:\program files\bitlord\lang\lang_et_ee.xml
c:\program files\bitlord\lang\lang_fi_fi.xml
c:\program files\bitlord\lang\lang_fr_fr.xml
c:\program files\bitlord\lang\lang_gl_es.xml
c:\program files\bitlord\lang\lang_he_il.xml
c:\program files\bitlord\lang\lang_hu_hu.xml
c:\program files\bitlord\lang\lang_it_it.xml
c:\program files\bitlord\lang\lang_jp_jp.xml
c:\program files\bitlord\lang\lang_ko_kr.xml
c:\program files\bitlord\lang\lang_nb_no.xml
c:\program files\bitlord\lang\lang_nl_nl.xml
c:\program files\bitlord\lang\lang_pl_pl.xml
c:\program files\bitlord\lang\lang_pt_br.xml
c:\program files\bitlord\lang\lang_pt_pt.xml
c:\program files\bitlord\lang\lang_ro_ro.xml
c:\program files\bitlord\lang\lang_ru_ru.xml
c:\program files\bitlord\lang\lang_sk_sk.xml
c:\program files\bitlord\lang\lang_sl_si.xml
c:\program files\bitlord\lang\lang_sr_sr.xml
c:\program files\bitlord\lang\lang_sv_se.xml
c:\program files\bitlord\lang\lang_th_th.xml
c:\program files\bitlord\lang\lang_tr_tr.xml
c:\program files\bitlord\lang\lang_va_es.xml
c:\program files\bitlord\lang\lang_zh_tw.xml
c:\program files\bitlord\rules\ipfilter.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_EraserSvc10910


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-31 )))))))))))))))))))))))))))))))
.

2009-05-31 20:44 . 2009-05-31 20:47 -------- d-----w- c:\users\lisa4jock\AppData\Local\temp
2009-05-31 20:26 . 2009-05-31 20:26 10520 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-31 20:26 . 2009-05-31 20:26 12936 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2009-05-31 20:26 . 2009-05-31 20:26 90632 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-31 20:26 . 2009-05-31 20:26 98440 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-31 20:26 . 2009-05-31 20:26 -------- d-----w- c:\windows\system32\drivers\Avg
2009-05-31 20:25 . 2009-05-31 20:25 -------- d-----w- c:\windows\LastGood.Tmp
2009-05-31 20:25 . 2009-05-31 20:25 -------- d-----w- c:\programdata\avg8
2009-05-31 19:19 . 2009-05-31 20:26 26824 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-31 16:53 . 2009-05-31 16:53 -------- d-----w- c:\program files\Trend Micro
2009-05-31 10:46 . 2009-05-31 10:46 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\Lavasoft
2009-05-31 10:46 . 2009-05-31 10:46 -------- d-----w- c:\program files\Lavasoft
2009-05-31 10:42 . 2003-10-15 22:42 150528 ----a-w- c:\windows\unSpySweeper.exe
2009-05-31 10:42 . 2009-05-31 10:42 -------- d-----w- c:\program files\Webroot
2009-05-31 10:39 . 2009-05-31 10:39 -------- d-----w- c:\program files\Kaspersky Lab
2009-05-31 10:34 . 2009-05-31 10:35 -------- d-----w- c:\program files\SpywareBlaster
2009-05-31 10:19 . 2009-05-31 10:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-05-28 23:57 . 2009-05-28 23:57 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-05-28 23:49 . 2009-05-28 23:49 -------- d-----w- c:\program files\AVG
2009-05-28 23:32 . 2009-05-28 23:32 -------- d-----w- c:\programdata\NortonInstaller
2009-05-22 16:59 . 2008-04-12 03:32 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-05-22 16:59 . 2008-04-26 08:26 891448 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-05-22 16:59 . 2008-04-05 03:34 15360 ----a-w- c:\windows\system32\pacerprf.dll
2009-05-22 16:59 . 2008-04-05 01:21 72192 ----a-w- c:\windows\system32\drivers\pacer.sys
2009-05-21 19:27 . 2009-05-21 19:27 -------- d-----w- C:\PerfLogs
2009-05-13 23:40 . 2009-05-13 23:40 -------- d-----w- c:\users\lisa4jock\AppData\Local\Activision
2009-05-13 23:35 . 2009-05-13 23:51 -------- d-----w- C:\cod waw
2009-05-13 23:33 . 2009-05-13 23:33 -------- d-----w- c:\program files\MagicISO
2009-05-13 20:30 . 2009-05-13 20:33 -------- d-----w- c:\program files\Windows Live Safety Center
2009-05-03 14:54 . 2009-05-28 11:11 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-05-31 10:32 . 2009-04-19 17:52 -------- d-----w- c:\program files\Yahoo!
2009-05-27 12:30 . 2009-05-27 12:30 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-05-21 19:30 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-05-21 19:30 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-05-21 19:27 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-05-21 19:05 . 2006-11-02 10:32 101888 ----a-w- c:\windows\system32\ifxcardm.dll
2009-05-21 19:05 . 2006-11-02 10:32 82432 ----a-w- c:\windows\system32\axaltocm.dll
2009-05-13 02:05 . 2007-07-26 03:06 -------- d-----w- c:\programdata\Microsoft Help
2009-04-30 15:28 . 2009-04-30 15:28 -------- d-----w- c:\program files\DFX
2009-04-30 13:29 . 2009-04-30 13:29 2560 ----a-w- c:\windows\_MSRSTRT.EXE
2009-04-30 13:20 . 2009-04-30 13:20 -------- d-----w- c:\programdata\DFX
2009-04-30 13:20 . 2009-04-30 13:20 -------- d-----w- c:\program files\Common Files\DFX
2009-04-25 22:13 . 2009-04-25 22:13 782664 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2009-04-22 12:51 . 2009-04-22 12:50 -------- d-----w- c:\program files\Google
2009-04-22 12:50 . 2009-04-22 12:50 -------- d-----w- c:\program files\DivX
2009-04-22 12:50 . 2009-04-22 12:50 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-04-22 12:31 . 2009-04-22 11:45 -------- d-----w- c:\users\lisa4jock\AppData\Roaming\vlc
2009-04-22 11:44 . 2009-04-22 11:44 -------- d-----w- c:\program files\VideoLAN
2009-04-22 08:56 . 2009-04-22 08:56 269312 ----a-w- c:\windows\system32\es.dll
2009-04-22 08:52 . 2007-07-26 03:10 -------- d-----w- c:\program files\Microsoft Works
2009-04-20 20:41 . 2009-04-20 20:41 1915520 ----a-w- c:\users\lisa4jock\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-04-20 11:02 . 2009-04-20 11:02 61440 ----a-w- c:\windows\system32\winipsec.dll
2009-04-20 11:02 . 2009-04-20 11:02 361984 ----a-w- c:\windows\system32\IPSECSVC.DLL
2009-04-20 11:02 . 2009-04-20 11:02 28672 ----a-w- c:\windows\system32\FwRemoteSvr.dll
2009-04-20 11:02 . 2009-04-20 11:02 272896 ----a-w- c:\windows\system32\polstore.dll
2009-04-20 10:59 . 2009-04-20 10:59 94720 ----a-w- c:\windows\system32\PortableDeviceClassExtension.dll
2009-04-20 10:59 . 2009-04-20 10:59 241152 ----a-w- c:\windows\system32\PortableDeviceApi.dll
2009-04-20 10:59 . 2009-04-20 10:59 160768 ----a-w- c:\windows\system32\PortableDeviceTypes.dll
2009-04-20 10:51 . 2009-04-20 10:51 376832 ----a-w- c:\windows\system32\winhttp.dll
2009-04-20 10:50 . 2009-04-20 10:50 296960 ----a-w- c:\windows\system32\gdi32.dll
2009-04-20 10:47 . 2009-04-20 10:47 212480 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2009-04-20 10:46 . 2009-04-20 10:46 562176 ----a-w- c:\windows\system32\msdtcprx.dll
2009-04-20 10:46 . 2009-04-20 10:46 38912 ----a-w- c:\windows\system32\xolehlp.dll
2009-04-20 10:43 . 2009-04-20 10:43 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-04-20 10:43 . 2009-04-20 10:43 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-04-20 10:43 . 2009-04-20 10:43 1695744 ----a-w- c:\windows\system32\gameux.dll
2009-04-20 10:41 . 2009-04-20 10:41 303616 ----a-w- c:\windows\system32\wmpeffects.dll
2009-04-20 10:40 . 2009-04-20 10:40 2048 ----a-w- c:\windows\system32\msxml3r.dll
2009-04-20 10:40 . 2009-04-20 10:40 1191936 ----a-w- c:\windows\system32\msxml3.dll
2009-04-20 02:29 . 2009-04-20 02:29 3 ----a-w- c:\windows\AFirst.cmd
2009-04-20 02:04 . 2009-04-20 02:04 2048 ----a-w- c:\windows\system32\tzres.dll
2009-04-20 02:02 . 2009-04-20 02:02 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-04-20 02:02 . 2009-04-20 02:02 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-20 02:00 . 2009-04-20 02:00 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-04-20 02:00 . 2009-04-20 02:00 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-04-20 02:00 . 2009-04-20 02:00 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-04-20 01:53 . 2009-04-20 01:53 2927104 ----a-w- c:\windows\explorer.exe
2009-04-20 01:45 . 2009-04-20 01:45 5071872 ----a-w- c:\windows\system32\NlsModels0011.dll
2009-04-20 01:41 . 2009-04-20 01:41 6656 ----a-w- c:\windows\system32\kbd106n.dll
2009-04-20 01:41 . 2009-04-20 01:41 988216 ----a-w- c:\windows\system32\winload.exe
2009-04-20 01:41 . 2009-04-20 01:41 927288 ----a-w- c:\windows\system32\winresume.exe
2009-04-20 01:41 . 2009-04-20 01:41 40960 ----a-w- c:\windows\system32\srclient.dll
2009-04-20 01:41 . 2009-04-20 01:41 378368 ----a-w- c:\windows\system32\srcore.dll
2009-04-20 01:41 . 2009-04-20 01:41 318464 ----a-w- c:\windows\system32\rstrui.exe
2009-04-20 01:41 . 2009-04-20 01:41 14848 ----a-w- c:\windows\system32\srdelayed.exe
2009-04-20 01:41 . 2009-04-20 01:41 46592 ----a-w- c:\windows\system32\setbcdlocale.dll
2009-04-20 01:41 . 2009-04-20 01:41 19000 ----a-w- c:\windows\system32\kd1394.dll
2009-04-20 01:41 . 2009-04-20 01:41 615992 ----a-w- c:\windows\system32\ci.dll
2009-04-20 01:35 . 2009-04-20 01:35 441400 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-04-20 01:35 . 2009-04-20 01:35 9728 ----a-w- c:\windows\system32\lsass.exe
2009-04-20 01:35 . 2009-04-20 01:35 72704 ----a-w- c:\windows\system32\secur32.dll
2009-04-20 01:35 . 2009-04-20 01:35 1255936 ----a-w- c:\windows\system32\lsasrv.dll
2009-04-20 01:35 . 2009-04-20 01:35 24064 ----a-w- c:\windows\system32\amxread.dll
2009-04-20 01:35 . 2009-04-20 01:35 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-04-20 01:33 . 2009-04-20 01:33 425472 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2009-04-20 01:33 . 2009-04-20 01:33 712704 ----a-w- c:\windows\system32\WindowsCodecs.dll
2009-04-20 01:33 . 2009-04-20 01:33 347136 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
2009-04-20 01:30 . 2009-04-20 01:30 443392 ----a-w- c:\windows\system32\win32spl.dll
2009-04-20 01:30 . 2009-04-20 01:30 37888 ----a-w- c:\windows\system32\printcom.dll
2009-04-20 01:29 . 2009-04-20 01:29 113664 ----a-w- c:\windows\system32\drivers\rmcast.sys
2009-04-20 01:29 . 2009-04-20 01:29 14848 ----a-w- c:\windows\system32\wshrm.dll
2009-04-20 01:26 . 2009-04-20 01:26 288768 ----a-w- c:\windows\system32\drivers\srv.sys
2009-04-20 01:23 . 2009-04-20 01:23 268288 ----a-w- c:\windows\system32\schannel.dll
2009-04-20 01:19 . 2009-04-20 01:19 622080 ----a-w- c:\windows\system32\icardagt.exe
2009-04-20 01:19 . 2009-04-20 01:19 97800 ----a-w- c:\windows\system32\infocardapi.dll
2009-04-20 01:19 . 2009-04-20 01:19 11264 ----a-w- c:\windows\system32\icardres.dll
2009-04-20 01:19 . 2009-04-20 01:19 105016 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-04-20 01:19 . 2009-04-20 01:19 781344 ----a-w- c:\windows\system32\PresentationNative_v0300.dll
2009-04-20 01:19 . 2009-04-20 01:19 43544 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2009-04-20 01:19 . 2009-04-20 01:19 326160 ----a-w- c:\windows\system32\PresentationHost.exe
2009-04-20 00:59 . 2009-04-20 00:59 96760 ----a-w- c:\windows\system32\dfshim.dll
2009-04-20 00:59 . 2009-04-20 00:59 41984 ----a-w- c:\windows\system32\netfxperf.dll
2009-04-20 00:59 . 2009-04-20 00:59 282112 ----a-w- c:\windows\system32\mscoree.dll
2009-04-20 00:59 . 2009-04-20 00:59 158720 ----a-w- c:\windows\system32\mscorier.dll
2009-04-20 00:59 . 2009-04-20 00:59 83968 ----a-w- c:\windows\system32\mscories.dll
2009-04-20 00:28 . 2009-04-20 00:28 2868736 ----a-w- c:\windows\system32\mf.dll
2009-04-20 00:28 . 2009-04-20 00:28 98816 ----a-w- c:\windows\system32\mfps.dll
2009-04-20 00:28 . 2009-04-20 00:28 53248 ----a-w- c:\windows\system32\rrinstaller.exe
2009-04-20 00:28 . 2009-04-20 00:28 24576 ----a-w- c:\windows\system32\mfpmp.exe
2009-04-20 00:28 . 2009-04-20 00:28 2048 ----a-w- c:\windows\system32\mferror.dll
2009-04-20 00:28 . 2009-04-20 00:28 996352 ----a-w- c:\windows\system32\WMNetMgr.dll
2009-04-20 00:28 . 2009-04-20 00:28 94720 ----a-w- c:\windows\system32\logagent.exe
2009-04-20 00:25 . 2009-04-20 00:25 84480 ----a-w- c:\windows\system32\INETRES.dll
2009-04-20 00:25 . 2009-04-20 00:25 738304 ----a-w- c:\windows\system32\inetcomm.dll
2009-04-20 00:24 . 2009-04-20 00:24 1645568 ----a-w- c:\windows\system32\connect.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-31_20.14.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-31 20:25 . 2009-05-31 20:25 23832 c:\windows\System32\DriverStore\FileRepository\avgfwfd6.inf_ca037d13\avgfwd6x.sys
- 2009-04-19 17:46 . 2009-05-31 19:40 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-04-19 17:46 . 2009-05-31 20:32 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-04-19 17:46 . 2009-05-31 19:40 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-19 17:46 . 2009-05-31 20:32 49152 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-04-19 17:46 . 2009-05-31 19:40 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-19 17:46 . 2009-05-31 20:32 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-05-31 20:25 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-05-29 00:05 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-05-31 20:25 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-05-29 00:05 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-05-29 00:05 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-05-31 20:25 143360 c:\windows\inf\infstrng.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-02-25 665088]
"Acer Tour Reminder"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-25 457216]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-03-08 40048]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-25 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-25 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-25 138008]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2007-07-16 768520]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-31 1235736]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour Reminder"="c:\acer\AcerTour\Reminder.exe" [2007-05-22 151552]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-7-26 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=0 (0x0)
"AppInit_DLLs"=c:\windows\System32\eNetHook.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B865A331-0198-4E67-8AB0-0829040F707B}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FFF9EBCC-F1FB-45DC-A85F-F986FB6DFA59}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{68FA17A7-FD22-4046-9662-845DCFC34EDE}"= c:\program files\AVG\AVG8\avgam.exe:avgam.exe
"{B8B1F74A-5B40-4021-A031-ADDD0F19B3F4}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{2733DF70-8194-4A9C-8109-A0802AC1FADB}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{0CB2FD28-F1DD-4FCD-B4EF-81BD94E646FA}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 AvgRkx86;avgrkx86.sys;c:\windows\System32\drivers\avgrkx86.sys [31/05/2009 21:26 12936]
R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [29/05/2009 00:57 23832]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [31/05/2009 21:26 98440]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [31/05/2009 21:26 90632]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [31/05/2009 21:26 874776]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [31/05/2009 21:25 231704]
R2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [31/05/2009 21:26 1212184]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [26/07/2007 02:02 179712]
S2 gupdate1c9c348f584b505;Google Update Service (gupdate1c9c348f584b505);c:\program files\Google\Update\GoogleUpdate.exe [22/04/2009 13:50 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AVGLDX86
*NewlyCreated* - AVGTDIX
.
Contents of the 'Scheduled Tasks' folder

2009-05-31 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-22 12:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.uk.acer.yahoo.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-31 21:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3436)
c:\windows\system32\MsnChatHook.dll
c:\windows\system32\ShowErrMsg.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\BatchCrypto.dll
c:\windows\system32\CryptoAPI.dll
c:\windows\system32\keyManager.dll
c:\acer\Empowering Technology\EPOWER\SysHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\windows\System32\agrsmsvc.exe
c:\acer\Empowering Technology\eDataSecurity\eDSService.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\acer\Mobility Center\MobilityService.exe
c:\windows\System32\drivers\XAudio.exe
c:\acer\Empowering Technology\ePower\ePowerSvc.exe
c:\windows\System32\wbem\unsecapp.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Launch Manager\LManager.exe
c:\users\LISA4J~1\AppData\Local\temp\RtkBtMnt.exe
c:\program files\AVG\AVG8\avgtray.exe
c:\windows\System32\igfxext.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Apoint2K\ApMsgFwd.exe
c:\program files\Apoint2K\ApntEx.exe
c:\windows\ehome\ehmsas.exe
c:\acer\Empowering Technology\ePower\ePower_DMC.exe
c:\acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-05-31 21:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-31 20:51
ComboFix2.txt 2009-05-31 20:15

Pre-Run: 23,657,050,112 bytes free
Post-Run: 23,380,676,608 bytes free

424 --- E O F --- 2009-05-31 18:54

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

am i doing this and leaving combofix to run again?

The /u uninstalls Combofix, it shouldn't need to run again.

sorry haha
when i was doing that it confused me because it was bringing up warning message that avg internet security was running etc

its uninstalled now avg is is installed a.virus/firewall,anti-spam,internet security etc all up and running smoothly

all seems back to normal and perfectly fine many thanks for the help guys done a brilliant job 12 out of 10 GREAT ******

1 more question tho
running 1 of the programs when uninstalling BITLORD i lost my films etc they have gone BUT the space on my hard drive is still taken up as if they where there :s

Hope Belahzur doesn't mind me stepping in,

Glad to hear everything is running well

The reason that maybe is because they still maybe in your downloads folder located here:

C:\Documents and Settings\COMPUTERNAME\My Documents\Downloads

Check to see if they are still there so you can delete them



Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

nope cant find them anywhere little odd but sure they will turn up somewhere

thanks for the advice i have successfully installed spywareblaster spybot search and destroy adaware and avg internet security 8.0 with firewall etc etc

many thanks to you guys for helping posted good feedback for you guys
dont mean in bad way hope to not see u guys any time soon haha keep up the good work

hi only me again
right as i have said above i removed bitlord from the laptop and still cannot find these damn downloads even tho my drive is still as full as it was so they obviously somewere i even redownloaded bitlord see if they would magically pop up but no such luck can anyone help me find them please would be much appreciated

Uninstall BitLord again.

If BitLord is anything like uTorrent, the avi/whatever type files maybe gone, but even after uninstalling a torrent program, the folder in Application Data gets left behind with the recorded .torrent files in there, and the .torrent files are the same size as the movie.

so where will these files be so i can delete them thanks


oh and any chance you could look over my question in software please

Sure, I'll check that now and see if I can do anything. Usually Doc answers post in the Software/other areas.

If it's anywhere, it should be here.

C:\Documents and setitngs\YOUR USERNAME\Application Data\BitLord

You won't be able to see the Application Data folder because it's a hidden system folder, so you'll need to show hidden files, do you know how to do that?

cant even get to documents and settings folder cant see it anywhere new to vista so im lost trying to find it haha