themed32.dll infection error - lsass.exe userinit.exe explorer.exe unable to locate component

oceanic · June 12, 2010

I have the exact same problem as a few other people and it occurred yesterday like everyone else, and did the exact same same things before it occurred.

Computer found some virus and popups, so ran some scans including malwayre bytes. All good, then restarted computer, and same error as you

lsass.exe - unable to locate component. The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem.

userinit.exe. - unable to locate component. The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem.

explorere.xe -unable to locate component. The application has failed to start as themed32.dll was not found. Reinstalling the application may fix this problem.

My explorer won't show, my desktop won't show, not even in safe mode, so i can even reinstall wahtever software i might have uninstalled to cause this. All i can do is open up taskmanager (it gives same error but still opens it) and browse the computer through it by clicking file run.

Can't run sfc /scannow either as computer gives error

Windows File Protection could not initiate a scan of protected system files.

The specific error code is 0x000006ba. [The RPC server is unavailable.

In task manager it shows lsass.exe and userinit.exe running, it just doesn't show explorer.exe running and that is the desktop.

SCANS

1) Have done the usual scans as requested on the sticky thread. Whilst the DDS was scanning, i kept constantly getting the unable to locate compenent, can't find themed32.dll error and the scan would not proceeed any further until i had clicked ok and acknowledged it.

2) Have 3 malware bytes log files as i did 3 scans, each time it kept finding something new and different. So have uploaded all from the first one before the problem and the two after the problem.

3) There seems to be somethign wrong with the dates of the malwarebytes log files, within a space of 10hours, the clock has gone from 9 of june, to 13th of june. But all the problems started yesterday night around 11pm BST.

Please help, and thanks for help. I get the feeling it will be a quick fix once figured out, but it seems to be a very new virus or new and rare system error problem.

Attach.txt

DDS.txt

mbam_log_2010_06_09__23_02_20_.txt

mbam_log_2010_06_11__19_14_14_.txt

mbam_log_2010_06_13__04_37_26_.txt

Elise · June 12, 2010

Hello ,

And My name is Elise and I'll be glad to help you with your computer problems.

I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.

The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.

You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications.

-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please download GMER from one of the following locations and save it to your desktop:

Main Mirror
This version will download a randomly named file (Recommended)
Zipped Mirror
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------

In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply

GMER log

oceanic · June 13, 2010

thanks for the help

Here is the log file, hope there's nothing sesnsitive there that should not be public.

I think i should add, everytime i try to open antyhing i get the unable to locate error, themed32.dll is missing. But somethings still open, and other stuff doesnt, whilst other stuff opens and then crashs after the error. For instance internet explorer, won't open, but mozilla does even though both get the same missing error message.

What's the likelyhood its a registery problem?

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-06-14 11:38:48

Windows 5.1.2600 Service Pack 3

Running: oebwzu2x.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\uwryrpow.sys

---- System - GMER 1.0.15 ----

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xA8748D82]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xA874948E]

SSDT BA7236FE ZwCreateKey

SSDT BA7236F4 ZwCreateThread

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteFile [0xA87495DA]

SSDT BA723703 ZwDeleteKey

SSDT BA72370D ZwDeleteValueKey

SSDT BA723712 ZwLoadKey

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xA874953E]

SSDT BA7236E0 ZwOpenProcess

SSDT BA7236E5 ZwOpenThread

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xA87491EA]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xA874CE5E]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xA874CDC8]

SSDT BA72371C ZwReplaceKey

SSDT BA723717 ZwRestoreKey

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xA8748D30]

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetInformationFile [0xA874963A]

SSDT BA723708 ZwSetValueKey

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xA8748CD4]

SSDT BA7236EF ZwTerminateProcess

SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xA8748C78]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DF4 80504690 4 Bytes JMP ECA87491

.rsrc C:\WINDOWS\system32\DRIVERS\ssmdrv.sys entry point in ".rsrc" section [0xBA37CC14]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008B000A

.text C:\WINDOWS\system32\wuauclt.exe[1116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008C000A

.text C:\WINDOWS\system32\wuauclt.exe[1116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003F000C

.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0089000A

.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008A000A

.text C:\WINDOWS\System32\svchost.exe[1248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007B000C

.text C:\WINDOWS\System32\svchost.exe[1248] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00DF000A

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[2812] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00412220 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.)

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[2812] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[2812] USER32.dll!GetGUIThreadInfo + FB 7E428023 6 Bytes JMP 716E001E

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[2812] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71650022

.text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[2812] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 71680022

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2944] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 004394A0 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.)

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2944] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 716B001E

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2944] WS2_32.dll!getaddrinfo 71AB2A6F 5 Bytes JMP 71680022

.text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[2944] WS2_32.dll!gethostbyname 71AB5355 5 Bytes JMP 716E0022

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89DA1EC5

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0x1A 0xC7 0x1D ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x0B 0x5B 0x7C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x78 0x62 0x6D 0xED ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x82 0x1A 0xC7 0x1D ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE0 0x0B 0x5B 0x7C ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x78 0x62 0x6D 0xED ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x5B 0xE2 0x59 0x6C ...

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 53059C7365FA5E60BFEA62D4EA3A4F1E787BC0A9A6B0DBD1411631CFA83CC89FE05680FB847B1E30

94C6BEE1E98D00A3D1A00B610F4EE104541321CBE4327C55FDAAC1B6A5301E2F0BB8E85C2430C663

0

FD94C0F0195103E47F735BC17D9724DB976A282CBA94BB926573EC9A324B8B5C9FDA001AA9DCB73E

8

FCE7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BEC

C

74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D8EDD5E5BE2F6E6675D575E7D6A3B9

8

08710942DB2687D7A3F8392E0A7195FB655D6AEC9822B34601E201AA6F3F878AAD490BE8038039E3

D

C7528C67BC7050448BD3F5A39A81A12DFB60B8F1A874A9A7115EEA99AC18D0BB725243C3FE751412

B

C5AACDD48798A925841BF7F60AE9EFD536369FF31815BD89B0D4BA729A40033C881B2774C2495C7C

E

782119D2275FC24EEB66A52D8F3ADD623B471A6CE2ADEDE79CDC497FD5B40C6DFE78B974E11F5596

6

1AACEDFA6153DB6F1415DF93FCABAA73D70C2F858F2E994DC01EE4B17356A629DC0CF1992B6985E8

1

35D171FB9866CB1216621C5BEC3BB785C817913E6DBF325523480F6B0EEF748AA043949F4CFA2D86

4

40C7D05061AA0B5BF3BA5D4C0958AE20D3AC75662708A825C9A80FD8AA01EB3389715CC3AC9791B0

B

6859F1623A27E409C7C1D5318C18B21F23913A2FE6E54EF37DFC

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05962EB7-D710-1DBF-C301-BD340B66075C}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57361BAA-24AA-C7C5-DDD1-83F6003BE5B1}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57361BAA-24AA-C7C5-DDD1-83F6003BE5B1}@jahaoejnklaebgbbacop 0x6B 0x61 0x62 0x6A ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57361BAA-24AA-C7C5-DDD1-83F6003BE5B1}@iafbmlhadgalpieiap 0x6B 0x61 0x61 0x6A ...

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\ssmdrv.sys suspicious modification

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Elise · June 13, 2010

Hello there,

You have a nasty rootkit on board. Before starting the cleanup, please read the following information.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

COMBOFIX

---------------

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

oceanic · June 14, 2010

Ran the combofix program, it found a rootkit and said it had to restart, clicked ok, but it would not restart so i had to manually shut down and restart computer.

Then ran it again, it gave me a million of those "unable to locate component" due to not finding themed32.dll, from findstr.exe to many others. And until i acknowledged it the combofix scan would not continue. So kept clicking them through. Scan finished, and on the blue screen it kept saying unable to locate log this and log that. But this notepad window did in the end pop up with what seems like the log you were asking for.

Here it is.

ComboFix 10-06-13.01 - User 15/06/2010 12:20:52.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1502 [GMT 1:00]

Running from: F:\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\User\Application Data\6BD1BEE02E02E4EAAC52F178F95EE573

c:\documents and settings\User\Application Data\6BD1BEE02E02E4EAAC52F178F95EE573\enemies-names.txt

c:\documents and settings\User\Local Settings\Application Data\{BF3D988B-8A98-4F68-B6B9-53EFF5C46C24}

c:\documents and settings\User\Local Settings\Application Data\{BF3D988B-8A98-4F68-B6B9-53EFF5C46C24}\chrome.manifest

c:\documents and settings\User\Local Settings\Application Data\{BF3D988B-8A98-4F68-B6B9-53EFF5C46C24}\chrome\content\_cfg.js

c:\documents and settings\User\Local Settings\Application Data\{BF3D988B-8A98-4F68-B6B9-53EFF5C46C24}\chrome\content\overlay.xul

c:\documents and settings\User\Local Settings\Application Data\{BF3D988B-8A98-4F68-B6B9-53EFF5C46C24}\install.rdf

c:\windows\system32\jodvou

.

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))

.

2010-06-13 07:23 . 2010-06-13 07:23 61952 ----a-w- c:\windows\system32\PxSecure.dll

2010-06-13 07:23 . 2010-06-13 07:23 61624 ----a-w- c:\windows\system32\drivers\pxrts.sys

2010-06-13 07:23 . 2010-06-13 07:23 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys

2010-06-13 07:23 . 2010-06-13 07:23 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys

2010-06-13 07:22 . 2010-06-13 08:19 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2010-06-13 06:48 . 2004-08-04 02:56 385536 ----a-w- c:\windows\system32\THEMEd32.DLL

2010-06-13 04:21 . 2010-06-13 04:21 -------- d-----w- c:\windows\system32\wbem\Repository

2010-06-13 01:59 . 2010-06-13 04:20 -------- d-----w- c:\program files\Azureus(2)

2010-06-12 08:15 . 2010-06-12 16:28 -------- d-----w- C:\ErdUndoCache

2010-06-11 23:07 . 2010-06-11 23:07 -------- d-----w- C:\found.000

2010-06-11 21:40 . 2010-06-11 21:40 -------- d-----w- c:\documents and settings\Vostro77\Application Data\Trusteer

2010-06-11 17:26 . 2010-06-11 17:26 -------- d-----w- c:\documents and settings\LocalService\Application Data\Azureus

2010-06-11 16:34 . 2010-06-11 19:53 120 ----a-w- c:\windows\Omonum.dat

2010-06-11 16:34 . 2010-06-11 16:34 0 ----a-w- c:\windows\Jdejebopevubeq.bin

2010-06-11 13:26 . 2010-06-11 13:26 -------- d-----w- C:\spoolerlogs

2010-06-10 08:23 . 2010-06-10 08:23 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll

2010-06-10 08:23 . 2010-06-10 08:21 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll

2010-06-10 08:23 . 2010-06-10 08:21 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe

2010-06-10 08:23 . 2009-11-30 14:36 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Web Player\DivXWebPlayerUninstall.exe

2010-06-10 08:23 . 2009-11-30 14:36 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe

2010-06-10 08:23 . 2009-11-30 14:35 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe

2010-06-10 08:23 . 2010-06-10 08:23 57715 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe

2010-06-10 08:23 . 2010-06-10 08:23 56765 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe

2010-06-10 08:23 . 2010-06-10 08:23 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe

2010-06-10 08:23 . 2010-06-10 08:23 84062 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe

2010-06-10 08:21 . 2010-06-10 08:23 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX

2010-06-07 17:07 . 2010-06-07 17:07 434176 ----a-w- c:\documents and settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll

2010-06-05 19:02 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GH2YNJG Product Registration.exe

2010-06-05 19:01 . 2010-06-05 19:01 -------- d-----w- c:\documents and settings\User\Application Data\Leadertech

2010-05-26 16:08 . 2010-05-26 16:08 -------- d-----w- c:\program files\Advanced File Organizer

2010-05-26 13:25 . 2010-05-26 13:25 -------- d-----w- c:\program files\uTorrent

2010-05-25 22:11 . 2010-05-25 22:13 -------- d-----w- C:\1121aa01e2dca97d337f

2010-05-23 16:32 . 2010-05-23 16:32 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp

2010-05-23 16:32 . 2010-05-23 16:32 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google

2010-05-23 16:27 . 2010-05-23 16:27 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

2010-05-23 15:03 . 2010-05-24 17:45 -------- d-----w- c:\program files\Google

2010-05-18 15:15 . 2010-05-18 15:15 -------- d-----w- c:\program files\CDisplay

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-06-13 04:20 . 2008-01-31 00:42 -------- d-----w- c:\documents and settings\User\Application Data\Azureus

2010-06-12 16:28 . 2009-10-09 19:27 -------- d-----w- c:\documents and settings\All Users\Application Data\pdf995

2010-06-11 21:30 . 2009-12-10 12:07 -------- d-----w- c:\program files\PeerBlock

2010-06-11 19:48 . 2009-12-16 18:18 -------- d-----w- c:\documents and settings\User\Application Data\vlc

2010-06-11 16:57 . 2009-04-07 18:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-11 16:55 . 2008-01-31 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-06-11 16:55 . 2008-12-13 07:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2010-06-11 16:55 . 2008-01-31 02:00 -------- d-----w- c:\program files\SpywareBlaster

2010-06-11 16:53 . 2008-04-07 20:20 -------- d-----w- c:\documents and settings\User\Application Data\Media Player Classic

2010-06-11 16:53 . 2008-03-14 03:38 -------- d-----w- c:\program files\CCleaner

2010-06-10 08:23 . 2009-11-30 14:35 -------- d-----w- c:\program files\DivX

2010-06-10 08:23 . 2009-11-30 14:35 -------- d-----w- c:\program files\Common Files\DivX Shared

2010-06-07 20:25 . 2009-09-11 04:04 -------- d-----w- c:\program files\2 Pic

2010-06-04 19:04 . 2009-10-12 22:03 -------- d-----w- c:\program files\Microsoft Silverlight

2010-05-26 13:25 . 2009-10-26 14:04 -------- d-----w- c:\documents and settings\User\Application Data\uTorrent

2010-05-22 07:47 . 2008-03-04 09:47 -------- d-----w- c:\documents and settings\User\Application Data\dvdcss

2010-05-18 06:00 . 2008-03-16 02:12 -------- d-----w- c:\documents and settings\User\Application Data\U3

2010-05-04 17:20 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll

2010-05-04 17:20 . 2004-08-04 10:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2010-05-04 17:20 . 2004-08-04 10:00 17408 ------w- c:\windows\system32\corpol.dll

2010-04-29 14:39 . 2009-04-07 18:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 14:39 . 2009-04-07 18:43 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-27 18:40 . 2009-02-03 00:27 45648 ----a-w- c:\windows\system32\drivers\PxHelp20.sys

2010-04-27 18:40 . 2009-02-03 00:27 133616 ------w- c:\windows\system32\pxafs.dll

2010-04-27 18:40 . 2009-02-03 00:27 126448 ------w- c:\windows\system32\pxinsi64.exe

2010-04-27 18:40 . 2009-02-03 00:27 123888 ------w- c:\windows\system32\pxcpyi64.exe

2010-04-25 01:49 . 2008-01-31 02:17 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-04-25 01:39 . 2010-04-25 01:39 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Azureus

2010-04-11 20:49 . 2010-04-11 20:48 26582 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\Project64.exe1_B797CA9398E846EAA83635BE088145CE.exe

2010-04-11 20:49 . 2010-04-11 20:48 26582 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\Project64.exe_7FDC4F26BA404AD0BE57AC3D01EAD3E0.exe

2010-04-11 20:49 . 2010-04-11 20:48 26582 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\ARPPRODUCTICON.exe

2010-04-11 20:49 . 2010-04-11 20:48 25214 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\UNINST_Uninstall_P_156F75ED3AC34F899F4E49E7BCF228E8.exe

2010-04-11 20:49 . 2010-04-11 20:48 24942 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\Project64.chm_FC8E88CE0FC0416A8DCED87702F81733.exe

2010-04-11 20:49 . 2010-04-11 20:48 24942 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\PJgameFAQ.chm_4CFA8D737AA64B3EB46FBE36D300F34E.exe

2010-04-11 20:49 . 2010-04-11 20:48 1150 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{B8672913-A995-4C4A-AA0F-DE5D83549FA0}\evoodoo.cpl_218B97DFEF7B43DBB14A0C45C482ABEE.exe

2010-04-10 14:44 . 2010-04-10 14:44 8854 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\Uninstall_Project64__9559F7CA5E344237A2D9D856464AD727.exe

2010-04-10 14:44 . 2010-04-10 14:44 40960 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\NewShortcut1_9559F7CA5E344237A2D9D856464AD727.exe

2010-04-10 14:44 . 2010-04-10 14:44 40960 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{9559F7CA-5E34-4237-A2D9-D856464AD727}\ARPPRODUCTICON.exe

2010-03-29 21:55 . 2010-03-29 21:55 1956656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2006-05-03 10:06 . 2009-05-26 04:45 163328 --sh--r- c:\windows\system32\flvDX.dll

2007-02-21 11:47 . 2009-05-26 04:45 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-05-26 04:45 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"SpybotDeletingD3469"="del" [X]

"SpybotDeletingD5468"="del" [X]

"SpybotDeletingB7600"="command.com" [2004-08-04 50620]

"SpybotDeletingB9754"="command.com" [2004-08-04 50620]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\

Wallpaper Changer.lnk - c:\program files\WallpaperToy\Wallpapertoy.Exe [2008-6-25 110592]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]

path=c:\documents and settings\User\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk

backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]

2007-05-11 05:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2005-05-04 02:43 69632 ----a-w- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

2007-04-17 03:51 162584 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

2007-04-17 03:51 142104 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

2004-08-04 10:00 208952 ----a-w- c:\windows\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]

2007-05-11 02:08 2512392 ----a-w- c:\windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]

2005-06-20 12:32 127118 ------w- c:\program files\CyberLink\PowerCinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]

2006-10-21 01:23 118784 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2007-04-17 03:51 138008 ----a-w- c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

2004-08-04 10:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

2004-08-04 10:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]

2007-04-26 22:27 16132608 ----a-w- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2008-12-01 12:29 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WMPNetworkSvc"=3 (0x3)

"WLSetupSvc"=3 (0x3)

"usnjsvc"=3 (0x3)

"SSScsiSV"=3 (0x3)

"SPTISRV"=3 (0x3)

"SonicStage Back-End Service"=3 (0x3)

"PACSPTISVR"=3 (0x3)

"ose"=3 (0x3)

"MSCSPTISRV"=3 (0x3)

"KSD2Service"=2 (0x2)

"JavaQuickStarterService"=2 (0x2)

"iPod Service"=3 (0x3)

"idsvc"=3 (0x3)

"IDriverT"=3 (0x3)

"FLEXnet Licensing Service"=3 (0x3)

"dlbt_device"=3 (0x3)

"CyberLink Media Library Service"=2 (0x2)

"CLSched"=2 (0x2)

"CLCapSvc"=2 (0x2)

"Apple Mobile Device"=2 (0x2)

"O&O Defrag"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

"c:\\Program Files\\uTorrent\\utorrent.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [13/06/2010 08:23 30320]

R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [15/03/2010 14:47 58984]

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [18/05/2009 22:35 108289]

R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]

R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [13/06/2010 08:23 24400]

R3 XPAD;XBox Controllers USB HID Mini Driver;c:\windows\system32\drivers\Xpad.sys [01/02/2008 06:05 12800]

S2 CSIScanner;CSIScanner;"c:\program files\Prevx\prevx.exe" /service --> c:\program files\Prevx\prevx.exe [?]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [23/05/2010 17:27 135664]

S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [26/05/2008 07:37 16512]

S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [10/12/2009 13:07 14424]

S3 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [13/06/2010 08:23 61624]

S3 XID;XBox Controller HID Minidriver, XID;c:\windows\system32\drivers\xid.sys [01/02/2008 04:58 7597]

S3 xpvcom;XPVCOM Port;c:\windows\system32\drivers\XPVCOM.sys [23/03/2007 03:00 30032]

S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [24/07/2008 07:18 717296]

.

Contents of the 'Scheduled Tasks' folder

2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 16:27]

2010-06-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-23 16:27]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.argos.co.uk/static/Product/partNumber/7000814/c_1/1%7Ccat_12107492%7CDIY%20tools%20and%20equipment%7C12107545/Trail/searchtext%3EFURNISHINGS.htm?storeId=10001&referredURL=http%3A%2F%2Fwww.argos.co.uk%2Fstatic%2FProduct%2FpartNumber%2F7000814%2Fc_1%2F1%7Ccat_12107492%7CDIY+tools+and+equipment%7C12107545%2FTrail%2Fsearchtext%3EFURNISHINGS.htm&jspStoreDir=argos&referrer=COJUN&cmpid=COJUN

uInternet Connection Wizard,ShellNext = iexplore

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

.

- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe

MSConfigStartUp-IndexSearch - c:\program files\ScanSoft\PaperPort\IndexSearch.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-PaperPort PTD - c:\program files\ScanSoft\PaperPort\pptd40nt.exe

MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\qttask.exe

MSConfigStartUp-SSBkgdUpdate - c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

AddRemove-HijackThis - c:\docume~1\User\LOCALS~1\Temp\Rar$EX00.844\HijackThis.exe

AddRemove-mIRC - c:\documents and settings\User\Desktop\SYSRESET\mirc.exe

AddRemove-Mozilla Firefox (3.6.3) - c:\program files\Mozilla Firefox\uninstall\helper.exe

AddRemove-PCSI - c:\program files\Prevx\prevx.exe

AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe

**************************************************************************

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files:

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1454471165-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05962EB7-D710-1DBF-C301-BD340B66075C}*]

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1454471165-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57361BAA-24AA-C7C5-DDD1-83F6003BE5B1}*]

@Allowed: (Read) (RestrictedCode)

"jahaoejnklaebgbbacop"=hex:6b,61,62,6a,62,63,64,6f,6c,66,70,62,61,66,68,67,68,

6f,66,6f,62,6c,00,00

"iafbmlhadgalpieiap"=hex:6b,61,61,6a,6f,67,65,70,6d,6c,68,67,6e,68,6d,63,65,61,

66,6b,62,68,00,7c

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]

"OODEFRAG10.00.00.01WORKSTATION"="53059C7365FA5E60BFEA62D4EA3A4F1E787BC0A9A6B0DBD1411631CFA83CC89FE05680FB847

B1E3094C6BEE1E98D00A3D1A00B610F4EE104541321CBE4327C55FDAAC1B6A5301E2F0BB8E85C243

0

C6630FD94C0F0195103E47F735BC17D9724DB976A282CBA94BB926573EC9A324B8B5C9FDA001AA9D

C

B73E8FCE7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E1

2

7BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3D8EDD5E5BE2F6E6675D575E7D

6

A3B9808710942DB2687D7A3F8392E0A7195FB655D6AEC9822B34601E201AA6F3F878AAD490BE8038

0

39E3DC7528C67BC7050448BD3F5A39A81A12DFB60B8F1A874A9A7115EEA99AC18D0BB725243C3FE7

5

1412BC5AACDD48798A925841BF7F60AE9EFD536369FF31815BD89B0D4BA729A40033C881B2774C24

9

5C7CE782119D2275FC24EEB66A52D8F3ADD623B471A6CE2ADEDE79CDC497FD5B40C6DFE78B974E11

F

559661AACEDFA6153DB6F1415DF93FCABAA73D70C2F858F2E994DC01EE4B17356A629DC0CF1992B6

9

85E8135D171FB9866CB1216621C5BEC3BB785C817913E6DBF325523480F6B0EEF748AA043949F4CF

A

2D86440C7D05061AA0B5BF3BA5D4C0958AE20D3AC75662708A825C9A80FD8AA01EB3389715CC3AC9

7

91B0B6859F1623A27E409C7C1D5318C18B21F23913A2FE6E54EF37DFC12B8FE5812710270CCB3553

A

C0045EE99170FE2D491C6359723F908E052C14A01AD36AD2F5AC863FA090EA0BA0009723B5E195D4

E

3C90D607BF8B1D42E6A6D83B0412BCD5BBAF70E67B3E758CB7A6EBF5700B59A1BC21526E72E82F8D

0

DE52A35FDD713141016FA6D691CEBE7F0603161A3FB306202C9CB7D4707F7BCF784CF59FC01656B6

F

D0A05227C258F9C8FC11B96345EF02CEE45A0BE0A5E1AC3089D1B5F7CA1DC2C7BAF47D2190405031

4

74B5FB207DCDB3ACC8D8D73C20C1F910528FBF7B6D46458AFFE78D526DA60708D92D4A3256C292DE

0

66A448A3CB39CB8341031D885E7EB6933AF1DAEA18009EA30F43E0C6480D6985570E3E4FA685E21C

0

043184B3D244BC994BED489986A2B5EDC7524D5510B7F214B3244125A6FAEE7B95CAFCB2B4C543EF

0

D3806E3240D71A0DDCBE03180B5620209761FD53495903380E3D99144F605D28CC2D4C6D84B9B3A2

8

B14C0E2D92973A4EB2EE3B7C9E30DBA40B10C98EDD51905E7BD1A091E3A8F15BA9E452DA7870D9F0

0

58DF5F08A22BF1FB8C3A8D48ECE64409A991F5591913D146688C2609D2E4C8C8204BD203BC86846E

6

603FAE633BF1B377BB0D864E5A938AC13D52FF5C3F6CEDEDC46541BAE4C8CEA67061DB187A2AF9D5

4

3A0D5307419D1452A4DFCBE243D0FE7536571746AB18664FA9E5F921909C8965B29F9E374D47C2EE

3

F80C90F4CE40B6843019F295A287B"

.

Completion time: 2010-06-15 12:30:27

ComboFix-quarantined-files.txt 2010-06-15 11:30

ComboFix2.txt 2009-04-21 10:39

Pre-Run: 454,469,832,704 bytes free

Post-Run: 454,714,773,504 bytes free

- - End Of File - - 6BBF7FB354958C8DE06E6CD716DFA127

oceanic · June 14, 2010

oh, sorry forgot to add, in the initial scan it for some reason set of spybot s&d even though that program was swtiched off and not running in the backgroud. In the scan it jet set it off.

Elise · June 14, 2010

Hello again,

Don't worry about Spybot, it shows only some entries that indicate it wants to remove some files on startup. We will remove those entries with the next script.

CF-SCRIPT

-------------

We need to execute a CF-script.

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:

TDL::
C:\WINDOWS\system32\DRIVERS\ssmdrv.sys

File::
c:\windows\Omonum.dat
c:\windows\Jdejebopevubeq.bin

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingD3469"=-
"SpybotDeletingD5468"=-
"SpybotDeletingB7600"=-
"SpybotDeletingB9754"=-

RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
[HKEY_USERS\S-1-5-21-1454471165-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{05962EB7-D710-1DBF-C301-BD340B66075C}*]
[HKEY_USERS\S-1-5-21-1454471165-1085031214-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{57361BAA-24AA-C7C5-DDD1-83F6003BE5B1}*]

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

oceanic · June 14, 2010

Heres the log, it set of the errors as usual.

ComboFix 10-06-13.01 - User 16/06/2010 8:51.7.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1606 [GMT 1:00]

Running from: F:\ComboFix.exe

Command switches used :: F:\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

* Created a new restore point

FILE ::

"c:\windows\Jdejebopevubeq.bin"

"c:\windows\Omonum.dat"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Jdejebopevubeq.bin

c:\windows\Omonum.dat

.

((((((((((((((((((((((((( Files Created from 2010-05-16 to 2010-06-16 )))))))))))))))))))))))))))))))