0

here is the combofix log..... (feeling really good r8 now!! :):) )


ComboFix 11-03-15.03 - Administrator 03/16/2011 21:23:03.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1791.1336 [GMT 5.5:30]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\autorun.inf
c:\docume~1\ADMINI~1\LOCALS~1\Temp\jna2934518254239686697.dll
c:\documents and settings\Administrator\Local Settings\Temp\jna2934518254239686697.dll
c:\program files\IObit Toolbar\IE\4.1\ioBIttoolbarie.dll
c:\program files\SpeedBit Toolbar\Toolbar\tbhelper.dll
c:\program files\SpeedBit Video Downloader\Toolbar\tbhelper.dll
C:\rlgb.pif
c:\windows\system32\drivers\cvwgex.sys
E:\Autorun.inf
F:\autorun.inf
G:\autorun.inf
G:\rrhw.pif
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_AMSINT32
-------\Service_amsint32
-------\Legacy_cvwgex
-------\Service_cvwgex
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 15:02 . 2011-03-16 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\ConduitEngine
2011-03-16 15:02 . 2011-03-16 15:02 -------- d-----w- c:\program files\ConduitEngine
2011-03-16 15:02 . 2011-03-16 15:02 -------- d-----w- c:\program files\Softonic-Eng7
2011-03-16 15:00 . 2011-03-16 15:00 -------- d-----w- c:\program files\VirusTotalUploader2
2011-03-14 03:44 . 2011-03-14 03:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2011-03-14 03:44 . 2011-03-14 03:44 -------- d-----w- c:\documents and settings\LocalService\Application Data\Toolbar4
2011-03-09 03:21 . 2004-08-03 19:26 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-03-09 03:21 . 2001-08-17 17:06 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-03-09 03:21 . 2004-08-03 17:28 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2011-03-09 03:21 . 2004-08-03 17:28 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2011-03-06 15:50 . 2011-03-06 15:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-03-06 15:50 . 2010-12-20 12:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-06 15:50 . 2011-03-06 15:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-06 15:50 . 2011-03-06 15:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-03-06 15:50 . 2010-12-20 12:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-06 13:40 . 2011-03-06 13:40 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2011-03-06 13:31 . 2011-03-06 13:31 -------- d-----w- c:\program files\Bonjour
2011-03-06 13:27 . 2011-03-06 13:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2011-03-04 16:59 . 2011-03-16 15:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\LimeWire
2011-03-04 16:49 . 2011-03-04 16:49 -------- d-----w- c:\program files\Common Files\Java
2011-03-04 16:49 . 2011-03-04 16:49 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-04 16:49 . 2011-03-04 16:49 411368 ----a-w- c:\windows\system32\deploytk.dll
2011-03-04 16:49 . 2011-03-04 16:49 -------- d-----w- c:\program files\Java
2011-02-28 16:11 . 2011-03-16 15:02 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-02-28 15:57 . 2011-02-28 15:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\com.atlanticrecords.Fanbase.A6C8DD5DA30F5C18C5C42884996720F649F6ED37.1
2011-02-28 15:56 . 2011-02-28 15:56 -------- d-----w- c:\program files\Fanbase
2011-02-28 15:55 . 2011-02-28 15:55 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-02-27 08:15 . 2006-10-17 16:59 487479 ----a-w- c:\windows\system32\SkinMagic.dll
2011-02-27 08:03 . 2011-02-27 08:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Grisoft
2011-02-27 08:03 . 2007-05-30 12:10 10872 ----a-w- c:\windows\system32\drivers\AvgAsCln.sys
2011-02-27 08:03 . 2011-02-27 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2011-02-27 07:12 . 2011-02-27 07:12 -------- d-----w- C:\Mp3 Output
2011-02-27 07:12 . 2009-06-08 10:03 8676883 ----a-w- c:\windows\system32\mp3Media2.dll
2011-02-21 15:46 . 2011-02-21 15:46 -------- d-----w- c:\program files\WinSplit Revolution
2011-02-16 14:26 . 2011-02-16 14:26 -------- d-----w- c:\program files\Power Tab Software
2011-02-16 14:21 . 2011-02-16 14:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dev-Cpp
2011-02-15 15:59 . 2001-08-23 19:30 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2011-02-15 15:59 . 2001-08-23 19:30 185344 ----a-w- c:\windows\system32\Thawbrkr.dll
2011-02-15 15:59 . 2001-08-23 19:30 5632 -c--a-w- c:\windows\system32\dllcache\kbdusa.dll
2011-02-15 15:59 . 2001-08-23 19:30 5632 ----a-w- c:\windows\system32\kbdusa.dll
2011-02-15 15:59 . 2001-08-23 19:30 19456 -c--a-w- c:\windows\system32\dllcache\agt0401.dll
2011-02-15 15:59 . 2001-08-23 19:30 10752 -c--a-w- c:\windows\system32\dllcache\c_iscii.dll
2011-02-15 15:59 . 2001-08-23 19:30 10752 ----a-w- c:\windows\system32\c_iscii.dll
2011-02-15 15:59 . 2001-08-23 19:30 19456 -c--a-w- c:\windows\system32\dllcache\agt040d.dll
2011-02-15 15:58 . 2001-08-23 19:30 6144 -c--a-w- c:\windows\system32\dllcache\ftlx041e.dll
2011-02-15 15:58 . 2001-08-23 19:30 6144 ----a-w- c:\windows\system32\ftlx041e.dll
2011-02-15 15:33 . 2011-02-15 15:58 -------- d-sh--w- c:\documents and settings\Administrator\Local Settings\Application Data\.#
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-01 14:47 . 2011-02-07 02:55 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2011-02-14 08:05 . 2011-02-14 08:05 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2011-02-08 13:40 . 2003-03-18 14:44 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-02-08 13:40 . 2003-02-20 23:12 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
.
------- Sigcheck -------
.
[-] 2009-08-03 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3017FB3E-9A77-4396-88C5-0EC9548FB42F}]
2011-02-11 18:21 2447360 ----a-w- c:\program files\SpeedBit Video Downloader\Toolbar\tbcore3.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-13 16:28 3913000 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{389943B0-C3A2-4E69-82CB-8596A84CB3DC}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBFCD017-BCAD-42C3-9ED5-89DBDFC59171}"= "c:\program files\SpeedBit Toolbar\Toolbar\tbcore3.dll" [2011-02-11 2447360]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-13 3913000]
.
[HKEY_CLASSES_ROOT\clsid\{ebfcd017-bcad-42c3-9ed5-89dbdfc59171}]
[HKEY_CLASSES_ROOT\SPEEDBIT1.SPEEDBIT1.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\SPEEDBIT1.SPEEDBIT1]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{EBFCD017-BCAD-42C3-9ED5-89DBDFC59171}"= "c:\program files\SpeedBit Toolbar\Toolbar\tbcore3.dll" [2011-02-11 2447360]
.
[HKEY_CLASSES_ROOT\clsid\{ebfcd017-bcad-42c3-9ed5-89dbdfc59171}]
[HKEY_CLASSES_ROOT\SPEEDBIT1.SPEEDBIT1.3]
[HKEY_CLASSES_ROOT\TypeLib\{EC4085F2-8DB3-45a6-AD0B-CA289F3C5D7E}]
[HKEY_CLASSES_ROOT\SPEEDBIT1.SPEEDBIT1]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\program files\IObit\Advanced SystemCare 3\AWC.exe" [2010-12-16 2402512]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-07-21 198864]
"Winsplit"="c:\program files\WinSplit Revolution\WinSplit.exe" [2011-02-16 4279296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 104744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-04-14 13684736]
"nwiz"="nwiz.exe" [2009-04-14 2845216]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-04-14 86016]
"RTHDCPL"="RTHDCPL.EXE" [2009-05-21 17881600]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 173352]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 1410344]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 1398056]
"SearchSettings"="c:\program files\Common Files\Spigot\Search Settings\SearchSettings.exe" [2010-11-18 524288]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2011-02-08 202256]
"WinampAgent"="e:\winamp installed\Winamp\winampa.exe" [2010-12-06 74752]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6800944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 105368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 316136]
"Acrobat Assistant 8.0"="f:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
dj60lrbx.exe [2011-3-14 43008]
LimeWire On Startup.lnk - e:\after xp install\LimeWire\LimeWire.exe [2010-8-19 569344]
Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2010-12-8 3501056]
pp2vwr081yj.exe [2011-3-14 43008]
Stardock ObjectDock.lnk - c:\program files\Stardock\ObjectDock\ObjectDock.exe [2011-2-6 3450608]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2011-3-6 295606]
Adobe Acrobat Synchronizer.lnk - f:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 1918616]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\updates.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsdoc.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsinfo.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsmps.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsMsgServer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsNameServer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsOaPathUtil.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRemshClient.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsRunHidden.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsServIpc.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsUnzip.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdswhich.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cdsZip.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cds_root.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsAdminTool.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clsbd.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\clu.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\cmfeedback.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\consmgr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\dregprint.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\emsMkError.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\mpsinfo.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\msgHelp.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmp.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\nmppath.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\switchversion.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\van.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\bin\\versionviewer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\capture.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\comp16.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pcadi.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\pstswp.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\sch2cap.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\SETBROWS.EXE"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\capture\\tutorial\\CAPTUTOR.EXE"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\cdsdoc\\bin\\obServer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\dfII\\bin\\skill_g.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\bodygen.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\cpmaccess.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\libaccess.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\lrm.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\mkdefcfg.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\newgenasym.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\pcbCache.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\projmgr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\psetup.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\purge.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\QPSetup.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\rollback.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\UniversalBrowser.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\fet\\bin\\versiontool.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\java.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\javaw.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jpicpl32.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jucheck.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\jusched.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\keytool.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\kinit.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\klist.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\ktab.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\orbd.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\policytool.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmid.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\rmiregistry.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\servertool.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\bin\\tnameserv.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\jre\\javaws\\javaws.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\a2dxf.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\allegro_free_viewer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\artwork.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\batch_drc.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bbvia.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\bem2d.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\cns_report.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_devices.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\create_sym.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor14.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbdoctor_ui.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix11.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix12.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbfix13.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dbstat.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_dlg.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dfa_update.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev14.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\downrev_library.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\draw_check.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dump_libraries.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\dxf2a.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ecl_schedule.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\enved.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\explot.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\extracta.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\flash_convert.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\fpbrowse.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSvia.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\FSviaSolver.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gbplot.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genfeedformat.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\genrad.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\gloss.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_in.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\idf_out.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_in.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\iges_out.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\il_allegro.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ipc356_out.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\j2script.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\l2a.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\mbs2lib.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\ncroute.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\nctape.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netin.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\netrev.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pads_in.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pad_designer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\parallel.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pcad_in.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pe_wordpad.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\placement.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\plctxt.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\pre_check.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\productServer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\qvupdate.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_padstack.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_symbol.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\refresh_vs.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\reftxt.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\report.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\spif_batch.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\swap.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\systemdump.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\sys_root.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile13.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\techfile14.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\tlp2.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\uprev.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pcb\\bin\\zrouter.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perl.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\bin\\perlglob.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\perl5\\ntt\\cmd32.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\IndiceFileGeneration.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\Magneticdesigner.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\modeled.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\MrkSrvr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspice.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceaa.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\PSpiceEnc.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\pspiceexplorersrvr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\psp_cmd.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simmgr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\simsrvr.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\pspice\\stmed.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\bin\\cdsdocIndexer.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\merge.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\mkvdk.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\search.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\setup.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\bin\\v_uninst.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\callback.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\filter.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmlini.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\htmserv.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\index.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jstree.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\jvtree.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\kvoop.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\regsvr32.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\summary.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\verity\\_nti40\\filters\\viewers\\amovie.exe"=
"c:\\OrCAD\\OrCAD_15.7_Demo\\tools\\specctra\\bin\\specctra.com"=
"c:\\WINDOWS\\RTHDCPL.EXE"=
"c:\\Program Files\\IObit\\Advanced SystemCare 3\\Sup_SmartRAM.exe"=
"c:\\Program Files\\CyberLink\\Power2Go\\CLMLSvc.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\USB Drivers\\SPS3_USB_Driver_Setup.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\Launcher.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe"=
"c:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe"=
"f:\\wwjnu.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\ConMgr.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\NetworkingWizard.exe"=
"c:\\WINDOWS\\system32\\nwiz.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\Real\\RealUpgrade\\realupgrade.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\util\\OBEX.SETTINGS.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\ConMgr_Setting.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\OpenEntry.exe"=
"c:\\Program Files\\Stardock\\ObjectDock\\ObjectDock.exe"=
"e:\\after xp install\\plugin-container.exe"=
"c:\\Program Files\\Common Files\\Spigot\\Search Settings\\SearchSettings.exe"=
"e:\\winamp installed\\Winamp\\winampa.exe"=
"c:\\Program Files\\Samsung\\Samsung PC Studio 3\\messagemanager.exe"=
"c:\\Program Files\\IObit\\Advanced SystemCare 3\\AWC.exe"=
"c:\\Program Files\\WinSplit Revolution\\WinSplitDrvr32.exe"=
"e:\\after xp install\\firefox.exe"=
"c:\\Program Files\\Adobe\\Reader 10.0\\Reader\\Reader_sl.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\CyberLink\\Power2Go\\MUITransfer\\MUIStartMenu.exe"=
"c:\\Program Files\\CyberLink\\DVD Suite\\MUITransfer\\MUIStartMenu.exe"=
"c:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe"=
"c:\\Program Files\\WinSplit Revolution\\WinSplit.exe"=
"e:\\after xp install\\sticker lite\\sticker.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Common Files\\Java\\Java Update\\jusched.exe"=
"f:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\acrobat_sl.exe"=
"c:\\Program Files\\Password Safe\\pwsafe.exe"=
"f:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\AcroDist.exe"=
"e:\\after xp install\\LimeWire\\LimeWire.exe"=
"f:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=
.
R2 Application Updater;Application Updater;c:\program files\Application Updater\ApplicationUpdater.exe [11/18/2010 11:39 AM 386560]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/5/2011 3:12 PM 1684736]
S3 speccy;speccy;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\f86506e9-986e-435a-8ae8-1d7760614b0e --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\f86506e9-986e-435a-8ae8-1d7760614b0e [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AMSINT32
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 21:32]
.
2011-03-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-220523388-1390067357-839522115-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 21:32]
.
2011-03-15 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-18.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 21:32]
.
2011-03-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-220523388-1390067357-839522115-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-06-02 21:32]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2405280
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - f:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {2D3C1814-EE17-4829-9BAD-D4CA759DDB84} = 203.147.88.2,202.138.103.100
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\i42shw5d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2405280&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Softonic-Eng7 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2405280&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=greentree_ff1&type=685749&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - e:\after xp install\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - e:\after xp install\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext
FF - Ext: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} - c:\program files\SpeedBit Video Downloader\SPFireFox
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: SpeedBit: {EBFCD017-BCAD-42C3-9ED5-89DBDFC59171} - c:\program files\SpeedBit Toolbar\SPFireFox
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: Softonic-Eng7 Community Toolbar: {414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - %profile%\extensions\{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3}
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
BHO-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
Toolbar-{414b6d9d-4a95-4e8d-b5b1-149dd2d93bb3} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 21:26
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\speccy]
"ImagePath"="\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\f86506e9-986e-435a-8ae8-1d7760614b0e"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2236)
c:\program files\Stardock\ObjectDock\DockShellHook.dll
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\RUNDLL32.EXE
c:\windows\RTHDCPL.EXE
c:\program files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
f:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
c:\program files\WinSplit Revolution\WinSplitDrvr32.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2011-03-16 21:28:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-16 15:58
.
Pre-Run: 61,635,694,592 bytes free
Post-Run: 61,500,227,584 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 29CD1B19B4D28738FC8722B456D0CCA8

0

Looks pretty good! You aren't finished yet, by a long shot however.
You need to go to Add/Remove and Uninstall ALL of these, if you don't see them listed move onto the next one and then let me know which ones you didn't find.

Everything you find listed as AVG, it ALL must go.

Also these: They are out of date and we will update those shortly
Java Auto Updater
Java(TM) 6 Update 18

These below are total Junk and can damage your computer.
Advanced SystemCare 3
IObit Toolbar v4.1

This one is likely how you got infected in the first place. P2P, besides being ILLEGAL is the easiest way to get your computer infected.
LimeWire 5.5.14

These two are VERY questionable. Remove them.
SpeedBit Toolbar
SpeedBit Video Downloader

After you have done those Uninstalls then UPDATE MBA-M and do another Full Scan with it, have it remove everything found. Reboot the computer.
Then do the following:
Please Run the ESET Online Scanner

http://www.eset.com/onlinescan/scanner.php?i_agree=14
* You can use Internet Explorer or Firefox to complete this scan and you will need to allow an Active X to be installed
* You will need to temporarily Disable your current Anti-virus program.
* Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
* When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt.

Post back with the Uninstall results AND both of those logs.

0

Looks pretty good!

you dont know how much that lifts me up!! :) i prayed more than a couple of times before running combofix, and didnt go to college to hear a reply from you!! really feeling good r8 now, and cant thank u enough for keeping up with me and my problems for the last two days!

as regards those programs you wanted me to remove, i did them all, but couldn't find "Java Auto Updater" in the list. although i did remove "Java(TM) 6 Update 18"

ill do the update, n the scans u said, the next post will have the logs.
thanks again :)

0

I will wait for the logs. Hopefully all will be well and then we can proceed with setting this up more safely in hopes you can avoid all this in the future.

0

here is the mbam log....

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6082

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/17/2011 8:27:09 AM
mbam-log-2011-03-17 (08-27-09).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|)
Objects scanned: 268999
Time elapsed: 19 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> 1500 -> Unloaded process successfully.
c:\program files\common files\Spigot\search settings\searchsettings.exe (PUP.Dealio) -> 192 -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Application Updater (PUP.Dealio) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\APPLICATION UPDATER\APPLICATIONUPDATER.EXE (PUP.Dealio) -> Value: APPLICATIONUPDATER.EXE -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchSettings (PUP.Dealio) -> Value: SearchSettings -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\PROGRAM FILES\COMMON FILES\SPIGOT\SEARCH SETTINGS\SEARCHSETTINGS.EXE (PUP.Dealio) -> Value: SEARCHSETTINGS.EXE -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\application updater\applicationupdater.exe (PUP.Dealio) -> Quarantined and deleted successfully.
c:\Documents and Settings\Administrator\Local Settings\Temp\pwxvnn.exe (Spyware.PWS) -> Delete on reboot.
c:\aikf.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\program files\iobit toolbar\widgihelper.exe (PUP.Dealio) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\rlgb.pif.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\iobit toolbar\IE\4.1\iobittoolbarie.dll.vir (PUP.Dealio) -> Not selected for removal.
c:\Qoobox\quarantine\C\WINDOWS\system32\drivers\cvwgex.sys.vir (Rootkit.Bubnix.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\G\rrhw.pif.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\huccg.dll (Worm.Conficker) -> Delete on reboot.
c:\WINDOWS\Temp\temporary internet files\Content.IE5\4LQDQRK9\kfakp[1].bmp (Extension.Mismatch) -> Quarantined and deleted successfully.
e:\tksimx.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
e:\vpqaiy.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
e:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP1\A0000085.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
e:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP2\A0000802.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
f:\tgnm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
f:\wwjnu.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
f:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP1\A0000083.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
f:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP2\A0000801.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
g:\ybgxwv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
g:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP1\A0000023.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\program files\common files\Spigot\search settings\searchsettings.exe (PUP.Dealio) -> Quarantined and deleted successfully.


but the eset site wont load!! its the same problem as the jotti site u gave me :( it just keeps showing "loading" but nothing displayed on the firefox tab.

0

i couldnt do that.. the site gerbil said, that wont load.. i tried to do that, but its the same problem as with the jotti site, or the eset site u gave me. they wont load!

0

What do you have on all these additional drives?

do you have access to another computer?

When you say these sites won't load, what exactly happens?

Edited by jholland1964: n/a

0

on the e drive, i have songs, videos, as well as the setup files of the programs. the f drive has things related to my studies, wordfiles, pdf files etc, d-drive is the dvd drive, and the f drive is more or less empty. it just has a backup image of the win7 machine i used earlier, but changed it because a lot of programs dont run there.

0

I ask this because each and every drive is still showing infection, except D of course. But all the others have infected files on them.
They don't have as many as they had before but they are still there.

When you say all those sites won't load, what happens when you try? Do you get an error message or something?

0

by access to another computer.. well i sometimes get stuff from my frnds computer, songs, movies etc, but thats about it.

when i click on the link on those sites in firefox, a new tab opens showing "loading" but thats all, nothing gets displayed in that tab... just it keeps loading and loading...

0

power just went off!! :( im running on ups r8 now. no idont get any error message, just it keeps loading.. thats all.. but nothing gets displayed. ill get back as to you when power comes back again. sry :( and i did another mbam scan.. it again showed 12 infections.
here is the log...

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6082

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

3/17/2011 9:03:38 AM
mbam-log-2011-03-17 (09-03-38).txt

Scan type: Full scan (C:\|E:\|F:\|G:\|)
Objects scanned: 269223
Time elapsed: 18 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_AMSINT32 (Virus.Sality) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint32 (Virus.Sality) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Documents and Settings\Administrator\Local Settings\Temp\winuifqgb.exe (Spyware.PWS) -> Delete on reboot.
c:\aikf.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\program files\iobit toolbar\IE\4.1\iobittoolbarie.dll.vir (PUP.Dealio) -> Quarantined and deleted successfully.
e:\vpqaiy.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
e:\system volume information\_restore{a8da50ea-9289-4a52-b7e3-4de70b91f5fd}\RP2\A0001148.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
f:\tgnm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
g:\ybgxwv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.


ill get back as soon as power comes back. sry for the trouble.

0

gerbil said that these viruses attack executable processes..
in my e drive, i have a copy of my c drive program files... i forgot to mention that.. and some programs are installed on the f drive as well. can that be a reason for infections showing up on all drives?

0

Probably, and they likely are still there, especially since you didn't run all the programs requested by gerbil, namely the Salitykiller porgram

0

since you didn't run all the programs requested by gerbil, namely the Salitykiller porgram

its not like i didnt do it, i couldnt do it...

0

but sality is not showing on the logs anymore.. does that mean sality has been deleted? i would do the sality killer run if i could get that page open.. but its not loading !

0

We are going to have to wait until gerbil can look at this because he may have something else that you can try, but for now your computer is still very infected and it appears you have been backing up those infections on all other drives so those also have to be cleaned of infections also. That is one of the problems doing backups without scanning them first before doing the backups. I have sent gerbil a message to ask that he take a look. Don't do any more downloading or backing up until he can take a good look at all of this.

Edited by jholland1964: n/a

0

i tried once more... its now saying that "Firefox can't find the server at support.kaspersky.com."

0

I have sent gerbil a message to ask that he take a look. Don't do any more downloading or backing up until he can take a good look at all of this.

ok.. thanks a lot :) and to be honest i had no idea abt such infections before this. this problem is a real pain.. but at least im learning something new from this. better to look on the positive side of things...

Edited by somjit{}: n/a

0

but sality is not showing on the logs anymore.. does that mean sality has been deleted? i would do the sality killer run if i could get that page open.. but its not loading !

But it IS showing on the logs, at least it showed in the MBA-M log that you posted last night, meaning it was still there.
We can't say a computer is clean until all the logs find NOTHING, not just that they cleaned something.

One thing that constantly shows infection is some sort of program called Spigot, what is this program?

Edited by jholland1964: n/a

0

Spigot, what is this program?

im sry, but i really have no idea what this program is. i dont remember installing anything like this, or using it. even the name sounds fishy...

0

im sry, but i really have no idea what this program is. i dont remember installing anything like this, or using it. even the name sounds fishy...

Here are just two of the many listings for it:
c:\program files\common files\Spigot\
"c:\program files\common files\spigot\search settings\SearchSettings.exe"

Ok, did some more searching and here is what it is:
It runs automatically at start up. It is foistware, installed with something else. That Dealio toolbar for one thing.

One likely source would be something you downloaded using Limewire. So anything you got via that program or any other P2P program you have used would be highly suspicious.

Edited by jholland1964: n/a

0

Your original question concerned installing an av program after a reformat.You now do realize that a reformat in this case, if you decide to go that route, could possibly include all of your drives since there is infection on all drives.

Edited by jholland1964: n/a

0

i knew using a P2P program was dangerous... but i was hearing a lot abt file sharing, and wanted to see what all that was abt. heard that limewire was a popular tool for doing these sort of stuff.. so thought id give it a try ( if i dont like it .. would just uninstall it.. problm solved!! ) .. BAADD DECISION ! :(

0

You now do realize that a reformat in this case, if you decide to go that route, could possibly include all of your drives since there is infection on all drives.

yes.. i do.. but after coming this far, wouldnt like to do that..

0

and the very reason that i thought about the antivirus WAS because i was hoping for a solution that didnt involve completely reformating my machine. maybe the problems would go away if i did a full scan with a paid anti virus ( thats what i thought). but if it still didnt, then i would have resorted to reformating my drive, completely. but that was my last option.

Edited by somjit{}: n/a

0

i knew using a P2P program was dangerous... but i was hearing a lot abt file sharing, and wanted to see what all that was abt. heard that limewire was a popular tool for doing these sort of stuff.. so thought id give it a try ( if i dont like it .. would just uninstall it.. problm solved!! ) .. BAADD DECISION ! :(

How right you are! #1 Limewire is "no longer". It was ordered to stop distributing it's software October 26, 2010 by US Courts. Of course that is here in the US, don't know if that applies world wide. BUT that should be enough to tell you that if a US Court orders it's removal, then don't use it. Limewire is certainly NOT the only P2P program under a "cease and desist" order in the US to stop all business, there have been many.

The Court Order had nothing to do with the infections spread by P2P it was because it is a violation of US copyright law to TAKE copyrighted material. A copyright means the material must be PAID for in order to use it.
However, when using P2P you absolutely, positively have no way of knowing who or where that file came from and much of the time it is via a malware writer. Just common sense should make a person ask, WHY? Why is this unknown person willing to give away something that normally is required to be paid for? Occasionally, and I stress OCCASIONALLY, the person may be "just a nice guy", very rare! Most times it is so the malware writer can get something back...all information on the downloaders computer...banking info, credit card numbers, telephone numbers, email addresses...the list goes on and one. How do they do this? By planting infected files in that "free" to take song or video. The infection takes over the computer and sends everything back to the malware writer OR actually gives that writer full control over the computer so he can then use it to infect other computers.
P2P is VERY Dangerous.

Edited by jholland1964: n/a

0

Your original question concerned installing an av program after a reformat

please dont leave me because my original post was abt something else than whats happening now... i hope that u guys know that im hopeless without these instructions ur giving me :( so please dont leave !!

0

please dont leave me because my original post was abt something else than whats happening now... i hope that u guys know that im hopeless without these instructions ur giving me :( so please dont leave !!

Never said we were leaving, I was just giving you this caution that this "could" be your only option and would likely involve all drives.

One thing you can and should do is go into all the drives and totally delete anything you have downloaded using any P2P program, you have no way of knowing which of these may be infected so you should get rid of all of them. The same would go for anything on a flash drive from one of these programs, and possibly something like an iPod. While an iPod usually can't get infected it can carry that infected file with the music. If you plug it into another computer it could then infect that computer. Same goes for a CD/DVD you may have burned with these files on them. They can't be infected but can carry the infected file with the music or movie. I have seen this happen. I cleaned two computers last year infected by transferring music from a CD to another computer that contained infected files in the music files. The CD played fine, but because the person downloaded them directly onto their hard drives they downloaded the infected files also.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.