# [SOLVED] AV8 Malware infection



## patmark

Hi everyone, here's the situation. My dad (Bless his soul he's 74) clicked on a facebook link in his e-mail. This program installed itsself on his computer at that point and took over. It opens itself spouting a bunch of garbage about the computer being infected and needing you to purchase the program so that it can rid you of all these viruses. This program will not let you close it, uninstall it, delete it, ect. ect. Is is completely hidden and embedded in the system someplace. I have run DDS, and the unhooker program as per instructions and have attached the results to this post. I will monitor this thread to find out your suggestions as how to rid the computer of this nasty little bugger.

Thank you
Patmark


DDS (Ver_10-03-17.01) - NTFSx86 
Run by Dan at 8:56:40.29 on Sat 09/25/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.479 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\Citrix\GoToMyPC\g2svc.exe
C:\Program Files\Citrix\GoToMyPC\g2comm.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Citrix\GoToMyPC\g2pre.exe
C:\Program Files\Citrix\GoToMyPC\g2tray.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\MYWEBS~2\bar\3.bin\mwsoemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\Program Files\MyShoppingGenie\mnumsg.exe
C:\Program Files\AV8\av8.exe
C:\Program Files\McAfee Security Scan\1.0.150\SSScheduler.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Dan.SKYKING\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: MyWebSearch Search Assistant BHO: {00a6faf1-072e-44cf-8957-5838f569a31d} - c:\program files\mywebsearch\bar\3.bin\MWSSRCAS.DLL
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: mwsBar BHO: {07b18ea1-a523-4961-b6bb-170de4475cca} - c:\program files\mywebsearch\bar\3.bin\MWSBAR.DLL
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe Search
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: BrowserHelper Class: {8a9d74f9-560b-4fe7-abeb-3b2e638e5cd6} - c:\program files\sgpsa\SearchAssistant.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: OToolbarHelper Class: {ead3a971-6a23-4246-8691-c9244e858967} - c:\program files\paypal\paypal plug-in\PayPalHelper.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\program files\sgpsa\BHO.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
uRun: [Google Update] "c:\documents and settings\dan.skyking\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [mnumsg.exe] c:\program files\myshoppinggenie\mnumsg.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~2\bar\3.bin\mwsoemon.exe
uRun: [AV8] c:\program files\av8\av8.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~2\bar\3.bin\mwsoemon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
dRunOnce: [RealUpgradeHelper] "c:\program files\common files\real\update_ob\upgrdhlp.exe" "RealNetworks|RealPlayer|12.0"
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\1.0.150\SSScheduler.exe
IE: &Search - http://edits.mywebsearch.com/toolba...YUS&si=&a=uAILxWBNn3vZhKu5G14lIA&n=2010022313
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/6/7/5/675d28f5-2a8e-4bac-bd9b-ee147f352714/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} - hxxps://signup.msn.com/pages/MsnInstC.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-4/MyFunCardsInitialSetup1.0.1.1.cab
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
DPF: {50647AB5-18FD-4142-82B0-5852478DD0D5} - hxxp://webeffective.keynote.com/applications/pconnector/download/ConnectorLauncher.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218648427062
DPF: {6D2EF4B4-CB62-4C0B-85F3-B79C236D702C} - hxxp://www.facebook.com/controls/contactx.dll
DPF: {86425144-8E97-41D5-8BCF-302812D44692} - hxxp://ravenas.razorstream.com/eve-service/objects/RSControl40.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CE089F60-349F-413F-9657-B6BC8BE0CECD} - hxxp://hellophone.helloworld.com/install/helloPhone.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://globaltec.webex.com/client/T25L/support/ieatgpc.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} - hxxps://www.plaxo.com/activex/plx_upldr-2k-xp.cab
Hosts: 10.254.254.253	Xdrive

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\dan~1.sky\applic~1\mozilla\firefox\profiles\a9ksr6p3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm596YYUS&ptb=uAILxWBNn3vZhKu5G14lIA&psa=&ind=2010022313&ptnrS=ZUxdm596YYUS&si=&st=kwd&n=77ce81a9&searchfor=
FF - HiddenExtension: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - c:\documents and settings\all users.windows\application data\google\toolbar for firefox\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - HiddenExtension: PayPal Plug-In for Firefox: [email protected] - c:\program files\paypal\PayPal Plug-In
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: My Web Search: [email protected] - c:\program files\mywebsearch\bar\3.bin
FF - HiddenExtension: RealPlayer Browser Record Plugin: {ABDE892B-13A8-4d1b-88E6-365A6E755758} - c:\documents and settings\all users.windows\application data\real\realplayer\browserrecordplugin\firefox\Ext

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2008-08-13 22:05:49	32768	--sha-w-	c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081320080814\index.dat
2010-06-03 11:09:04	16384	--sha-w-	c:\windows\temp\cookies\index.dat
2010-06-03 11:09:04	16384	--sha-w-	c:\windows\temp\history\history.ie5\index.dat
2010-06-03 11:09:04	49152	--sha-w-	c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:58:44.34 ===============


----------



## Ried

*Re: AV8 Malware infection*

Hi Patmark. 

Lots of junk on this one. MyWebSearch, myshoppinggenie, but the biggest concern is the fake AV and the hijacked drivers.

It will require more than 1 round to clean the system. Please stay with me until given the 'all clear' even if symptoms seem to abate.

Download ComboFix from one of these locations:

*Link 1*
*Link 2*


** IMPORTANT- Save ComboFix.exe to your Desktop*

====================================================


*Disable your AntiVirus and AntiSpyware applications *as they will interfere with our tools and the removal. If you are unsure how to do this, please refer to our sticky topic *How to disable your security applications*


====================================================


Double click on combofix.exe & follow the prompts. 



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. 


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.










Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:












Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the *C:\ComboFix.txt* in your next reply for further review.


----------



## patmark

*Re: AV8 Malware infection*

Ok Ried, thank you kindly. I have downloaded Combofix and will now transfer it to the infected PC and run it. Once it's done I will post back the report. Don't worry I'm not doing anything until I get the all clear from you, as I am a total dummy when it comes to this stuff. LOL


----------



## Ried

*Re: AV8 Malware infection*

You're welcome. :smile:

We need to ensure the Recovery Console gets installed. Does the infected computer have internet access? If not, go to Microsoft's website => http://support.microsoft.com/kb/310994

Scroll down to *Step 1*, and select the download that's appropriate for your Operating System. Download the file & save it as it's originally named.

* Note: If you have SP3, use the SP2 package.*


---------------------------------------------------------------------

Transfer the file you just downloaded, to the desktop of the infected computer next to ComboFix.exe

--------------------------------------------------------------------


*Disable your AntiVirus and AntiSpyware applications*, usually via a right click on the System Tray icon. They may otherwise interfere with our tools












Drag the setup package onto ComboFix.exe and drop it.

Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.











At the next prompt, click 'Yes' to run the full ComboFix scan.

Post the ComboFix.txt when it has completed


----------



## patmark

*Re: AV8 Malware infection*

I'm having a little trouble running it as it keeps saying that it is detecting AVG running. Now I know it's not running because I have uninstalled it when I switched him over to Avast. However a search shows AVG all over the place on his hard drive. I deleted the executables, and several other files that I found relating to AVG however it is still saying that is running. I am performing the scan anyhow at this point and it is scanning. First message that pops up says that the time for the scan could double as the computer is so badly infected. I will take this as a good sign that the scan is doing as it's supposed to. I will inform you as soon as the scan is complete, and will continue to check this thread to see if there is anything else that I should be doing. One other thing Combofix detected a rootkit, (whatever that is LOL) and is rebooting the computer. Keep your fingers crossed that Zone Alarm Avast and the virus don't all reactivate on reboot.


----------



## Ried

*Re: AV8 Malware infection*

We can use the AVG uninstaller later on. There's no point in trying to do that first because while this infection is active, it's not going to allow it to run. Sort of a 'catch-22'. You did fine instructing ComboFix to run anyway.

And yes, there is a rootkit onboard so the message you told me about was expected. :sayyes:


----------



## patmark

*Re: AV8 Malware infection*

HMMMM, the computer has now went to the save settings screen of the shut down process and is just sitting there. It's been there now for about 3-5 minutes with no activity. Is it just doing its thing? and maybe I've had a bit too much coffee? or do we have a problem here? LOL


----------



## Ried

*Re: AV8 Malware infection*

Give it about 5 more minutes, there's a lot going on behind the scenes during this shutdown process. If it's still hung at the shutdown, you'll have no choice but to do a hard shutdown. Start it back up into Safe Mode and ComboFix should continue.


----------



## patmark

*Re: AV8 Malware infection*

Will do its at about 10 minutes now and it's showing no activity, so I'm going to give that a try.


----------



## patmark

*Re: AV8 Malware infection*

Ok started in safemode and continued its scan. A message popped up now that says *Unknown software exceotion OK to terminate the program or cancel to debug*. I'm not doing anything until you tell me which one. LOL However its still scanning


----------



## Ried

*Re: AV8 Malware infection*

Before I answer that, does Combofix appear to still be running even though that message is there?


----------



## patmark

*Re: AV8 Malware infection*

Yup still running away. The app error is for a program called PEV.exe.


----------



## Ried

*Re: AV8 Malware infection*

Go ahead and click OK to terminate PEV.exe


----------



## patmark

*Re: AV8 Malware infection*

Acually it went away on its own and Cf now says thats its going to reboot the machine. Do not manually reboot it yourself. So it appears that for the moment all is well. Cool beans.


----------



## Ried

*Re: AV8 Malware infection*

Okay, I thought it might go away on its own. As it's rebooting the machine, force the reboot back into Safe Mode.


----------



## patmark

*Re: AV8 Malware infection*

Aww darn Too late. Didn't see the post in time. However it says its preparing the report don't use any programs until it's done so I think we are good so far.


----------



## Ried

*Re: AV8 Malware infection*

Good. :smile:


----------



## patmark

*Re: AV8 Malware infection*

Ok my friend, here's the log file that CF generated. So far AV8 has not reared it's ugly head in normal mode. However, don't worry I'm not touching that machine until I get the all clear from you lol. :4-thatsba
Take your time and I will be here to see your next post. 

Thanks
Patmark

ComboFix 10-09-24.05 - Dan 09/25/2010 12:03:12.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.811 [GMT -4:00]
Running from: c:\documents and settings\Dan.SKYKING\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Dan.SKYKING\GoToAssistDownloadHelper.exe
c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\010155555710297.xxe
c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\0501029748101102.xxe
c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\0985454995657.xxe
c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\rdr_1285202829.exe
c:\progra~1\MYWEBS~2\bar\3.bin\mwsoemon.exe
c:\program files\AV8
c:\program files\AV8\av8.exe
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchAssistant.dll
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\ToolBarBHO.dll
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\FunWebProducts
c:\program files\FunWebProducts\ScreenSaver\Images\005F6DBF.urr
c:\program files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
c:\program files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
c:\program files\FunWebProducts\Shared\Cache\WebfettiBtn.html
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\1.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\2.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\CHROME.MANIFEST
c:\program files\MyWebSearch\bar\3.bin\chrome\M3FFXTBR.JAR
c:\program files\MyWebSearch\bar\3.bin\F3BKGERR.JPG
c:\program files\MyWebSearch\bar\3.bin\F3CJPEG.DLL
c:\program files\MyWebSearch\bar\3.bin\F3DTactl.dll
c:\program files\MyWebSearch\bar\3.bin\F3HISTSW.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HKSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3HTmlmu.dll
c:\program files\MyWebSearch\bar\3.bin\F3HTTPCT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3IMSTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
c:\program files\MyWebSearch\bar\3.bin\F3PSSAVR.SCR
c:\program files\MyWebSearch\bar\3.bin\F3REGHK.DLL
c:\program files\MyWebSearch\bar\3.bin\F3REPROX.DLL
c:\program files\MyWebSearch\bar\3.bin\F3RESTUB.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SCHMON.EXE
c:\program files\MyWebSearch\bar\3.bin\F3SCRCTR.DLL
c:\program files\MyWebSearch\bar\3.bin\F3SPACER.WMV
c:\program files\MyWebSearch\bar\3.bin\F3WALLPP.DAT
c:\program files\MyWebSearch\bar\3.bin\F3WPHOOK.DLL
c:\program files\MyWebSearch\bar\3.bin\FWPBUDDY.PNG
c:\program files\MyWebSearch\bar\3.bin\INSTALL.RDF
c:\program files\MyWebSearch\bar\3.bin\M3AUXSTB.DLL
c:\program files\MyWebSearch\bar\3.bin\M3DLGHK.DLL
c:\program files\MyWebSearch\bar\3.bin\M3HIGHIN.EXE
c:\program files\MyWebSearch\bar\3.bin\M3HTml.dll
c:\program files\MyWebSearch\bar\3.bin\M3IDLE.DLL
c:\program files\MyWebSearch\bar\3.bin\M3IMPIPE.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MEDINT.EXE
c:\program files\MyWebSearch\bar\3.bin\M3MSg.dll
c:\program files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3PLUGIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKIN.DLL
c:\program files\MyWebSearch\bar\3.bin\M3SKPLAY.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SLSRCH.EXE
c:\program files\MyWebSearch\bar\3.bin\M3SRCHMN.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSBAR.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSMLBTN.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOEMON.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSOESTB.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSSRCAS.DLL
c:\program files\MyWebSearch\bar\3.bin\MWSSVC.EXE
c:\program files\MyWebSearch\bar\3.bin\MWSUABTN.DLL
c:\program files\MyWebSearch\bar\3.bin\NPMYWEBS.DLL
c:\program files\MyWebSearch\bar\Avatar\COMMON.F3S
c:\program files\MyWebSearch\bar\Cache\00077AEA
c:\program files\MyWebSearch\bar\Cache\0857A8D2
c:\program files\MyWebSearch\bar\Cache\0858629C
c:\program files\MyWebSearch\bar\Cache\08597024
c:\program files\MyWebSearch\bar\Cache\085A4130
c:\program files\MyWebSearch\bar\Cache\1106BD47.bin
c:\program files\MyWebSearch\bar\Cache\1106BECE.bin
c:\program files\MyWebSearch\bar\Cache\1E9C9B43
c:\program files\MyWebSearch\bar\Cache\1E9CAB8F.bin
c:\program files\MyWebSearch\bar\Cache\1E9CB35F.bin
c:\program files\MyWebSearch\bar\Cache\1E9CB592.bin
c:\program files\MyWebSearch\bar\Cache\1E9CB91C.bin
c:\program files\MyWebSearch\bar\Cache\1FEE6BAC.bin
c:\program files\MyWebSearch\bar\Cache\1FEE6D80.bin
c:\program files\MyWebSearch\bar\Cache\1FEE6E9A.bin
c:\program files\MyWebSearch\bar\Cache\1FEE7197.bin
c:\program files\MyWebSearch\bar\Cache\files.ini
c:\program files\MyWebSearch\bar\Game\CHECKERS.F3S
c:\program files\MyWebSearch\bar\Game\CHESS.F3S
c:\program files\MyWebSearch\bar\Game\REVERSI.F3S
c:\program files\MyWebSearch\bar\History\search3
c:\program files\MyWebSearch\bar\icons\CM.ICO
c:\program files\MyWebSearch\bar\icons\MFC.ICO
c:\program files\MyWebSearch\bar\icons\PSS.ICO
c:\program files\MyWebSearch\bar\icons\SMILEY.ICO
c:\program files\MyWebSearch\bar\icons\WB.ICO
c:\program files\MyWebSearch\bar\icons\ZWINKY.ICO
c:\program files\MyWebSearch\bar\Message\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\COMMON.F3S
c:\program files\MyWebSearch\bar\Notifier\DOG.F3S
c:\program files\MyWebSearch\bar\Notifier\FISH.F3S
c:\program files\MyWebSearch\bar\Notifier\KUNGFU.F3S
c:\program files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
c:\program files\MyWebSearch\bar\Notifier\MAID.F3S
c:\program files\MyWebSearch\bar\Notifier\MAILBOX.F3S
c:\program files\MyWebSearch\bar\Notifier\OPERA.F3S
c:\program files\MyWebSearch\bar\Notifier\ROBOT.F3S
c:\program files\MyWebSearch\bar\Notifier\SEDUCT.F3S
c:\program files\MyWebSearch\bar\Notifier\SURFER.F3S
c:\program files\MyWebSearch\bar\Overlay\COMMON.F3S
c:\program files\MyWebSearch\bar\Settings\prevcfg2.htm
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\program files\MyWebSearch\bar\Settings\setting2.htm
c:\program files\MyWebSearch\bar\Settings\settings.dat
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
c:\program files\SGPSA\SearchAssistant.dll
c:\windows\bk23567.dat
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
c:\windows\fdgg34353edfgdfdf
c:\windows\system32\drivers\sed.sys
c:\windows\system32\f3PSSavr.scr
c:\windows\system32\gotomon.log
H:\autorun.inf

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected 
Restored copy from - Kitty had a snack  
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SED
-------\Legacy_SSED
-------\Legacy_USNJSVC
-------\Service_sed
-------\Service_usnjsvc


((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-23 20:53 . 2010-09-23 21:57	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-09-23 14:13 . 2010-09-23 14:13	--------	d-----w-	c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Yahoo!
2010-09-23 14:13 . 2010-09-23 14:13	--------	d-sh--w-	c:\documents and settings\LocalService.NT AUTHORITY.000\PrivacIE
2010-09-23 00:51 . 2010-09-23 00:51	--------	d-sh--w-	c:\documents and settings\NetworkService.NT AUTHORITY.000\IETldCache
2010-09-12 00:59 . 2010-09-12 00:59	--------	d-----w-	c:\program files\Common Files\Apple
2010-09-12 00:58 . 2010-09-12 00:58	--------	d-----w-	c:\program files\Apple Software Update
2010-09-12 00:58 . 2010-09-12 00:58	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-09-11 19:14 . 2010-09-07 14:47	17744	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2010-09-11 19:14 . 2010-09-07 14:52	165584	----a-w-	c:\windows\system32\drivers\aswSP.sys
2010-09-11 19:14 . 2010-09-07 14:47	23376	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2010-09-11 19:14 . 2010-09-07 14:52	46672	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2010-09-11 19:14 . 2010-09-07 14:47	100176	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2010-09-11 19:14 . 2010-09-07 14:47	94544	----a-w-	c:\windows\system32\drivers\aswmon.sys
2010-09-11 19:14 . 2010-09-07 14:46	28880	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2010-09-11 19:14 . 2010-09-07 15:12	38848	----a-w-	c:\windows\avastSS.scr
2010-09-11 19:14 . 2010-09-07 15:11	167592	----a-w-	c:\windows\system32\aswBoot.exe
2010-09-11 19:13 . 2010-09-11 19:13	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-09-11 19:04 . 2010-06-23 17:51	69120	----a-w-	c:\windows\system32\zlcomm.dll
2010-09-11 19:04 . 2010-06-23 17:51	103936	----a-w-	c:\windows\system32\zlcommdb.dll
2010-09-11 19:04 . 2010-09-11 19:04	--------	d-----w-	c:\windows\system32\ZoneLabs
2010-09-11 19:04 . 2010-06-23 17:51	1238528	----a-w-	c:\windows\system32\zpeng25.dll
2010-09-11 16:04 . 2010-09-11 16:04	--------	d-----w-	c:\documents and settings\Dan.SKYKING\Application Data\Apple Computer
2010-09-09 20:53 . 2010-09-09 20:53	--------	d-----w-	c:\program files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 16:21 . 2008-08-01 21:07	0	----a-w-	c:\windows\system32\drivers\lvuvc.hs
2010-09-25 16:21 . 2008-09-02 19:41	0	----a-w-	c:\windows\system32\drivers\logiflt.iad
2010-09-25 12:48 . 2008-08-20 20:35	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-09-23 21:25 . 2010-09-23 21:22	1256	----a-w-	c:\windows\system32\drivers\kgpcpy.cfg
2010-09-22 23:46 . 2006-02-04 22:01	--------	d-----w-	c:\program files\Google
2010-09-19 16:16 . 2008-05-15 22:12	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-09-16 01:08 . 2004-07-19 17:10	--------	d-----w-	c:\program files\QuickTime
2010-09-16 01:07 . 2006-04-14 17:05	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-09-11 19:13 . 2004-02-15 12:33	--------	d-----w-	c:\program files\Alwil Software
2010-09-11 19:04 . 2005-11-05 00:03	4212	---ha-w-	c:\windows\system32\zllictbl.dat
2010-09-11 18:38 . 2008-05-02 13:49	--------	d-----w-	c:\program files\Three Rings Design
2010-09-11 17:36 . 2004-02-29 18:17	--------	d-----w-	c:\program files\MUSICMATCH
2010-09-11 16:22 . 2009-12-02 17:58	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\avg8
2010-09-11 16:04 . 2005-11-04 23:59	429432	----a-w-	c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-10 17:09 . 2005-07-31 14:10	--------	d-----w-	c:\program files\Intuit
2010-09-10 16:50 . 2009-05-08 14:08	--------	d-----w-	c:\documents and settings\Dan.SKYKING\Application Data\DriverCure
2010-09-10 16:48 . 2009-05-08 14:07	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\DriverCure
2010-09-09 23:40 . 2007-01-02 22:18	--------	d-----w-	c:\program files\Research In Motion
2010-09-09 21:06 . 2005-11-12 17:42	--------	d-----w-	c:\program files\APC
2010-09-09 20:57 . 2009-05-08 13:35	--------	d---a-w-	c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-08-17 13:17 . 2004-08-04 12:00	58880	----a-w-	c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-04 12:00	590848	----a-w-	c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-14 19:27	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-04 12:00	149504	----a-w-	c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]
"mnumsg.exe"="c:\program files\MyShoppingGenie\mnumsg.exe" [2009-09-07 276208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-03-29 136744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-18 12:56	11952	----a-w-	c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 21:04	10536	----a-w-	c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\Dan.SKYKING\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^MySurvey Messenger.lnk]
path=c:\documents and settings\Dan.SKYKING\Start Menu\Programs\Startup\MySurvey Messenger.lnk
backup=c:\windows\pss\MySurvey Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 20:35	4608	----a-w-	c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input]
2007-09-20 14:47	390488	----a-w-	c:\program files\Consumer Input\ConsumerInput.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Update]
2007-09-20 14:48	152920	----a-w-	c:\program files\Consumer Input\ConsumerInputUa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 14:34	851968	----a-w-	c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 20:04	40960	----a-w-	c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15	600896	----a-w-	c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW.exe]
2007-05-03 18:12	2061816	----a-w-	c:\program files\AT&T\Internet Security Wizard\ISW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14	576320	----a-w-	c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-08-01 21:04	67128	----a-w-	c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 21:11	565008	----a-w-	c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 21:15	2407184	----a-w-	c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52	331830	----a-w-	c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2001-08-17 04:41	28738	----a-w-	c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 19:46	57393	----a-w-	c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2004-05-25 13:16	49152	------w-	c:\program files\Brother\Brmfl04b\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22	155648	----a-r-	c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-21 00:12	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-29 00:51	202256	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34	24576	----a-w-	c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pre-Paid Legal Services, Inc\\PPL Legacy\\2.2.0.0\\PPL Legacy.exe"=
"c:\\Program Files\\Pre-Paid Legal Services, Inc\\PPL Legacy\\2.3.0.0\\PPL Legacy.exe"=
"c:\\Documents and Settings\\Dan.SKYKING\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Dan.SKYKING\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Dan.SKYKING\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8087:TCP"= 8087:TCP:sed

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/11/2010 3:14 PM 165584]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/31/2009 4:48 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [1/31/2009 4:48 PM 108552]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2010 3:14 PM 17744]
S2 gupdate1ca389b2ddb304a;Google Update Service (gupdate1ca389b2ddb304a);c:\program files\Google\Update\GoogleUpdate.exe [9/18/2009 4:04 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ getPlusHelper
ssed	REG_MULTI_SZ ssed
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-14 01:58]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 20:03]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 20:03]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-287218729-725345543-1004Core.job
- c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 16:42]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-287218729-725345543-1004UA.job
- c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 16:42]

2010-09-22 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-09-22 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]

2010-09-19 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-09-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-287218729-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-09-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-287218729-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-09-25 c:\windows\Tasks\User_Feed_Synchronization-{49A550C5-54E6-4994-99A7-90C35BDCBFE4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://home.att.net/~solos_holiday/2008/_011/egg.htm
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {86425144-8E97-41D5-8BCF-302812D44692} - hxxp://ravenas.razorstream.com/eve-service/objects/RSControl40.cab
DPF: {CE089F60-349F-413F-9657-B6BC8BE0CECD} - hxxp://hellophone.helloworld.com/install/helloPhone.cab
FF - ProfilePath - c:\documents and settings\Dan.SKYKING\Application Data\Mozilla\Firefox\Profiles\a9ksr6p3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - My Web Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm596YYUS&ptb=uAILxWBNn3vZhKu5G14lIA&psa=&ind=2010022313&ptnrS=ZUxdm596YYUS&si=&st=kwd&n=77ce81a9&searchfor=
FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\Dan.SKYKING\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Picasa2\npPicasa3.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-AV8 - c:\program files\AV8\av8.exe
MSConfigStartUp-Google Desktop Search - c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
MSConfigStartUp-RIMDeviceManager - c:\program files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
AddRemove-Consumer Input Software - c:\program files\Consumer Input\uninstall.exe
AddRemove-mIRC - c:\windows\temp\spoolsv\spoolsv.exe
AddRemove-W1Z3F33D-CD0C-4AC4-86B4-X11E5511AA18_is1 - c:\program files\GlobalTec Solutions
AddRemove-WT7FIX_is1 - c:\program files\GlobalTec Solutions



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,74,02,0e,ed,2a,c0,43,93,94,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,74,02,0e,ed,2a,c0,43,93,94,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(8092)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-25 12:36:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-25 16:36
ComboFix2.txt 2009-01-31 21:10

Pre-Run: 10,809,900,544 bytes free
Post-Run: 11,100,172,288 bytes free

- - End Of File - - 2872431B861BA53ED7E8D6E511E56B70


----------



## Ried

*Re: AV8 Malware infection*

The worst of it is over - now it's time for you to do some work. :smile:

Download the AVG remover from this page http://www.avg.com/us-en/download-tools and run it.

=================================

*Uninstall* the following program via Control Panel>Add or Remove programs

*MyShoppingGenie*

=================================


Open *notepad* and copy/paste the text in the code box below into it:



> Folder::
> c:\documents and settings\All Users.WINDOWS\Application Data\avg8
> 
> Registry::
> [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
> "8087:TCP"=-
> 
> Firefox::
> FF - ProfilePath - c:\documents and settings\Dan.SKYKING\Application Data\Mozilla\Firefox\Profiles\a9ksr6p3.default\
> FF - prefs.js: browser.search.selectedEngine - My Web Search
> FF - prefs.js: keyword.URL - hxxp://search.mywebsearch.com/mywebsearch/GGmain.jhtml?id=ZUxdm596YYUS&ptb=uAILxWBNn3vZhKu5G14lIA&psa=&ind=2010022313&ptnrS=ZUxdm596YYUS&si=&st=kwd&n=77ce81a9&searchfor


Save this as *"CFScript.txt"*, and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

**************************************












Refering to the picture above, drag CFScript into ComboFix.exe

Post the *C:\ComboFix.txt* in your next reply.


====================================


It's important to run an online scan to search for any other remnants that may be lurking. Go *here* to run an online scannner from ESET.
*Note:* You will need to use *Internet explorer* for this scan
 Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to *YES, I accept the Terms of Use.*
Click *Start*
When asked, allow the activex control to install
Click *Start*
Make sure that the option *Remove found threats* is *unticked*, and the option *Scan unwanted applications* is checked
Click *Scan*
Wait for the scan to finish
Use *notepad* to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.


----------



## patmark

*Re: AV8 Malware infection*

HMMMM, I amhaving a heck of a time with this Shopping Genie I just can't get it to uninstall with either Revo or Add/Remove programs. I tried to delete the exe. from the C: programs folder and it will not let me do it there either. AVG is gone and created a log on restart but this program I just can't seem to get off. Should I leave it and continue with the rest of the steps or do you know something I don't that would help me remove it.LOL


----------



## Ried

*Re: AV8 Malware infection*

Leave it for now and continue with the rest. What happens when you try to uninstall it?


----------



## patmark

*Re: AV8 Malware infection*

I get the message that its, damn I can't even tell you because the CF is running another scan. But its something like its unable to uninstall it because its missing the uninstall program associated with it. When I try to delete it it says its write protected and I don't have Admin rights. Ok here's where I'm at

I ran the AVG remover and it did it's thing and rebooted. It generated a log that is now on the desktop.
I tried and failed to remove Shopping Genie.
I dragged the TXT file onto the CF.exe and it started another scan.
When the scan started it said that AVG was still running, so I went ahead with the scan anyhow and thats what its doing right now.

I will await your response to this post. I'm not sure if you know this or not but I'm am disabled from an accident that I had along time ago and require alot of medication to live a normal lifestyle. It makes me very tired sometimes and I am unable to concentrate very well. Once I have seen your response to this post I will have to take a break for a 1/2 hour or so to rest and take some medicine before I will be able to continue on. I'm very sorry as I feel really bad to be taking up your Saturday. Once I have rested I will be able to continue to the conclusion of this issue if you are still able to at that time. If not I certainly understand and we can work on at another time thats more covenient.

I'll wait for your replay.

Mark


----------



## patmark

*Re: AV8 Malware infection*

This is the report generated from the second CF scan for your review. I figure that it will take you awhile to review this so while I am resting and relieving the pain I'm in maybe you could look it over. Just let me know.

ComboFix 10-09-24.05 - Dan 09/25/2010 13:38:36.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.736 [GMT -4:00]
Running from: c:\documents and settings\Dan.SKYKING\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dan.SKYKING\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.WINDOWS\Application Data\avg8
c:\windows\system32\gotomon.log
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\gotomon.log . . . . Failed to delete

.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.

2010-09-23 20:53 . 2010-09-23 21:57	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!
2010-09-23 14:13 . 2010-09-23 14:13	--------	d-----w-	c:\documents and settings\LocalService.NT AUTHORITY.000\Application Data\Yahoo!
2010-09-23 14:13 . 2010-09-23 14:13	--------	d-sh--w-	c:\documents and settings\LocalService.NT AUTHORITY.000\PrivacIE
2010-09-23 00:51 . 2010-09-23 00:51	--------	d-sh--w-	c:\documents and settings\NetworkService.NT AUTHORITY.000\IETldCache
2010-09-12 00:59 . 2010-09-12 00:59	--------	d-----w-	c:\program files\Common Files\Apple
2010-09-12 00:58 . 2010-09-12 00:58	--------	d-----w-	c:\program files\Apple Software Update
2010-09-12 00:58 . 2010-09-12 00:58	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-09-11 19:14 . 2010-09-07 14:47	17744	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2010-09-11 19:14 . 2010-09-07 14:52	165584	----a-w-	c:\windows\system32\drivers\aswSP.sys
2010-09-11 19:14 . 2010-09-07 14:47	23376	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2010-09-11 19:14 . 2010-09-07 14:52	46672	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2010-09-11 19:14 . 2010-09-07 14:47	100176	----a-w-	c:\windows\system32\drivers\aswmon2.sys
2010-09-11 19:14 . 2010-09-07 14:47	94544	----a-w-	c:\windows\system32\drivers\aswmon.sys
2010-09-11 19:14 . 2010-09-07 14:46	28880	----a-w-	c:\windows\system32\drivers\aavmker4.sys
2010-09-11 19:14 . 2010-09-07 15:12	38848	----a-w-	c:\windows\avastSS.scr
2010-09-11 19:14 . 2010-09-07 15:11	167592	----a-w-	c:\windows\system32\aswBoot.exe
2010-09-11 19:13 . 2010-09-11 19:13	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Alwil Software
2010-09-11 19:04 . 2010-06-23 17:51	69120	----a-w-	c:\windows\system32\zlcomm.dll
2010-09-11 19:04 . 2010-06-23 17:51	103936	----a-w-	c:\windows\system32\zlcommdb.dll
2010-09-11 19:04 . 2010-09-11 19:04	--------	d-----w-	c:\windows\system32\ZoneLabs
2010-09-11 19:04 . 2010-06-23 17:51	1238528	----a-w-	c:\windows\system32\zpeng25.dll
2010-09-11 16:04 . 2010-09-11 16:04	--------	d-----w-	c:\documents and settings\Dan.SKYKING\Application Data\Apple Computer
2010-09-09 20:53 . 2010-09-09 20:53	--------	d-----w-	c:\program files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 17:49 . 2008-08-01 21:07	0	----a-w-	c:\windows\system32\drivers\lvuvc.hs
2010-09-25 17:49 . 2008-09-02 19:41	0	----a-w-	c:\windows\system32\drivers\logiflt.iad
2010-09-25 17:28 . 2009-06-14 17:31	--------	d-----w-	c:\program files\MyShoppingGenie
2010-09-25 12:48 . 2008-08-20 20:35	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Google Updater
2010-09-23 21:26 . 2010-09-23 21:48	1129120	----a-w-	c:\documents and settings\All Users.WINDOWS\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-09-23 21:25 . 2010-09-23 21:22	1256	----a-w-	c:\windows\system32\drivers\kgpcpy.cfg
2010-09-23 15:01 . 2010-09-23 15:01	1211017	----a-w-	c:\windows\Internet Logs\tvDebug.Zip
2010-09-22 23:46 . 2006-02-04 22:01	--------	d-----w-	c:\program files\Google
2010-09-19 16:16 . 2008-05-15 22:12	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft Help
2010-09-16 01:08 . 2004-07-19 17:10	--------	d-----w-	c:\program files\QuickTime
2010-09-16 01:07 . 2006-04-14 17:05	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-09-11 19:13 . 2004-02-15 12:33	--------	d-----w-	c:\program files\Alwil Software
2010-09-11 19:04 . 2005-11-05 00:03	4212	---ha-w-	c:\windows\system32\zllictbl.dat
2010-09-11 18:38 . 2008-05-02 13:49	--------	d-----w-	c:\program files\Three Rings Design
2010-09-11 17:36 . 2004-02-29 18:17	--------	d-----w-	c:\program files\MUSICMATCH
2010-09-11 16:04 . 2005-11-04 23:59	429432	----a-w-	c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-10 17:09 . 2005-07-31 14:10	--------	d-----w-	c:\program files\Intuit
2010-09-10 16:50 . 2009-05-08 14:08	--------	d-----w-	c:\documents and settings\Dan.SKYKING\Application Data\DriverCure
2010-09-10 16:48 . 2009-05-08 14:07	--------	d-----w-	c:\documents and settings\All Users.WINDOWS\Application Data\DriverCure
2010-09-09 23:40 . 2007-01-02 22:18	--------	d-----w-	c:\program files\Research In Motion
2010-09-09 21:06 . 2005-11-12 17:42	--------	d-----w-	c:\program files\APC
2010-09-09 20:57 . 2009-05-08 13:35	--------	d---a-w-	c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2010-08-17 13:17 . 2004-08-04 12:00	58880	----a-w-	c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-04 12:00	590848	----a-w-	c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-14 19:27	5120	----a-w-	c:\windows\system32\xpsp4res.dll
2010-06-30 12:31 . 2004-08-04 12:00	149504	----a-w-	c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-04-17 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-21 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RealUpgradeHelper"="c:\program files\Common Files\Real\Update_OB\upgrdhlp.exe" [2010-03-29 136744]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
McAfee Security Scan.lnk - c:\program files\McAfee Security Scan\1.0.150\SSScheduler.exe [2009-7-27 199184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToMyPC]
2008-09-30 21:04	10536	----a-w-	c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^Memeo AutoBackup Launcher.lnk]
path=c:\documents and settings\Dan.SKYKING\Start Menu\Programs\Startup\Memeo AutoBackup Launcher.lnk
backup=c:\windows\pss\Memeo AutoBackup Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^Memeo AutoSync Launcher.lnk]
backup=c:\windows\pss\Memeo AutoSync Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Dan.SKYKING^Start Menu^Programs^Startup^MySurvey Messenger.lnk]
path=c:\documents and settings\Dan.SKYKING\Start Menu\Programs\Startup\MySurvey Messenger.lnk
backup=c:\windows\pss\MySurvey Messenger.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04	35760	----a-w-	c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 20:35	4608	----a-w-	c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input]
2007-09-20 14:47	390488	----a-w-	c:\program files\Consumer Input\ConsumerInput.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Consumer Input Update]
2007-09-20 14:48	152920	----a-w-	c:\program files\Consumer Input\ConsumerInputUa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-07-20 14:34	851968	----a-w-	c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 20:04	40960	----a-w-	c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2006-07-07 23:15	600896	----a-w-	c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISW.exe]
2007-05-03 18:12	2061816	----a-w-	c:\program files\AT&T\Internet Security Wizard\ISW.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2006-07-07 23:14	576320	----a-w-	c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
2008-08-01 21:04	67128	----a-w-	c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2008-08-14 21:11	565008	----a-w-	c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2008-08-14 21:15	2407184	----a-w-	c:\program files\Logitech\QuickCam\Quickcam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
2001-08-23 21:52	331830	----a-w-	c:\program files\Microsoft Works\wkssb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
2001-08-17 04:41	28738	----a-w-	c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12	1695232	----a-w-	c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 19:46	57393	----a-w-	c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
2004-05-25 13:16	49152	------w-	c:\program files\Brother\Brmfl04b\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 10:22	155648	----a-r-	c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-21 00:12	68856	----a-w-	c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-29 00:51	202256	----a-w-	c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
2001-10-06 00:34	24576	----a-w-	c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\eSignal\\winros.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pre-Paid Legal Services, Inc\\PPL Legacy\\2.2.0.0\\PPL Legacy.exe"=
"c:\\Program Files\\Pre-Paid Legal Services, Inc\\PPL Legacy\\2.3.0.0\\PPL Legacy.exe"=
"c:\\Documents and Settings\\Dan.SKYKING\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Dan.SKYKING\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Documents and Settings\\Dan.SKYKING\\temp\\TeamViewer\\Version4\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/11/2010 3:14 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/11/2010 3:14 PM 17744]
S2 gupdate1ca389b2ddb304a;Google Update Service (gupdate1ca389b2ddb304a);c:\program files\Google\Update\GoogleUpdate.exe [9/18/2009 4:04 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper	REG_MULTI_SZ getPlusHelper
ssed	REG_MULTI_SZ ssed
.
Contents of the 'Scheduled Tasks' folder

2010-09-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-09-25 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 16:20]

2010-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-07-14 01:58]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 20:03]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-18 20:03]

2010-09-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-287218729-725345543-1004Core.job
- c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 16:42]

2010-09-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1614895754-287218729-725345543-1004UA.job
- c:\documents and settings\Dan.SKYKING\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-04-17 16:42]

2010-09-22 c:\windows\Tasks\ParetoLogic Registration.job
- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2010-09-22 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]

2010-09-19 c:\windows\Tasks\ParetoLogic Update Version2.job
- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

2010-09-25 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1614895754-287218729-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-09-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1614895754-287218729-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-09-25 c:\windows\Tasks\User_Feed_Synchronization-{49A550C5-54E6-4994-99A7-90C35BDCBFE4}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://home.att.net/~solos_holiday/2008/_011/egg.htm
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {86425144-8E97-41D5-8BCF-302812D44692} - hxxp://ravenas.razorstream.com/eve-service/objects/RSControl40.cab
DPF: {CE089F60-349F-413F-9657-B6BC8BE0CECD} - hxxp://hellophone.helloworld.com/install/helloPhone.cab
FF - ProfilePath - c:\documents and settings\Dan.SKYKING\Application Data\Mozilla\Firefox\Profiles\a9ksr6p3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\All Users.WINDOWS\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true); 
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true); 
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mnumsg.exe - c:\program files\MyShoppingGenie\mnumsg.exe
Notify-avgrsstarter - avgrsstx.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 13:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ... 

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,74,02,0e,ed,2a,c0,43,93,94,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8a,74,02,0e,ed,2a,c0,43,93,94,e5,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\Citrix\GoToMyPC\G2WinLogon.dll

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\brss01a.exe
c:\windows\system32\Brmfrmps.exe
c:\program files\Citrix\GoToMyPC\g2svc.exe
c:\program files\Citrix\GoToMyPC\g2comm.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Citrix\GoToMyPC\g2pre.exe
c:\program files\Citrix\GoToMyPC\g2tray.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-09-25 14:00:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-25 18:00
ComboFix2.txt 2010-09-25 16:36
ComboFix3.txt 2009-01-31 21:10

Pre-Run: 11,506,526,720 bytes free
Post-Run: 11,475,300,352 bytes free

- - End Of File - - AE1DA34EDBA2C0119BFED3FBDA134233


----------



## Ried

*Re: AV8 Malware infection*

Start the Eset online scan and let that run while you get some rest. 

We'll take care of AVG and MyShoppingGenie along with any results from Eset in one final round.


----------



## patmark

*Re: AV8 Malware infection*

Ok Ried, many thanks. The online scan is running now so it'll take a bit. I'll post back when its done. I owe you so big for this LOL. Couldn't have done without your help that's for darn sure.


----------



## Ried

*Re: AV8 Malware infection*

You're welcome. I don't mind waiting, I could use a bit of a rest myself.


----------



## patmark

*Re: AV8 Malware infection*

Just thought Id give you an update. The scan is still running it's just reaching 50% after almost an hour. It's found 76 possible problem files so far LOL. Man what has this man been doing on this computer. Will post results as soon as it's done.


----------



## patmark

*Re: AV8 Malware infection*

Ok Ried my friend, here is the log generated by the online scan. I will await your reply and your expert opinion.ray:


----------



## Ried

*Re: AV8 Malware infection*

Hiya. :smile:

Most of Eset's findings are backups created during the course of this fix, and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache shortly. 


Let's wrap this up. Open *notepad* and copy/paste the text in the code box below into it:



> SkipFix::
> File::
> C:\Program Files\MSN Messenger\msimg32.dll
> C:\Program Files\MSN Messenger\riched20.dll
> c:\program files\MyShoppingGenie
> 
> SecCenter::
> AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}


Save this as *"CFScript.txt"*, and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************












Refering to the picture above, drag CFScript into ComboFix.exe

===============================


If there aren't any more problems, we have some final housekeeping to tend to now. Please do not skip this step as it will implement important cleanup procedures, as well as reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point for you. 


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

*ComboFix /uninstall *

--------------------------------------------------------------------

Should you wish to contribute to the ongoing development of ComboFix, donations are being accepted via PayPal.


To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:


*Microsoft Windows Update* - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


*SpywareBlaster* to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
SpywareBlaster is a preventative program. It sets flags in the registry to prevent the running of a specific list of bad spyware related ActiveX controls. It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.


*WOT*, Web of Trust, As 'Googling' is such an integral part of internet life, this free browser add on warns you about risky websites that try to scam visitors, deliver malware or send spam. It is especially helpful when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
Green to go 
Yellow for caution 
Red to stop
 WOT has an addon available for both Firefox and IE.



 Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer 


*BACKING UP YOUR REGISTRY*
*ERUNT* will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

Vista/Windows 7 users - see this link for proper setup of Erunt http://www.winhelponline.com/blog/backup-windows-vista-registry-daily-using-erunt/


*NTREGOPT* works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. 


In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

*How did I get infected in the first place?* 
*Think Prevention*


**Kindly respond one more time and let me know if we may consider this thread resolved.


----------



## patmark

*Re: AV8 Malware infection*

Ok running it now. I think I did it right lol. The only thing that sort of confused me was where it said *and items located in C:\System Volume Information\, which is where System Restore's cache is stored.* I couldn't locate that in the C drive. and I wasn't clear if I was supposed to drag and drop the contents of that folder to the .exe as well or not. Well I didn't LOL so I'll do it over if neccessary. Do you want this report when CF is finished or is that a clean up proceedure?


----------



## patmark

*Re: AV8 Malware infection*

Ok Ried I have performed all the steps from your last post. I am writing this post from the affected computer, and all appears to be well. Please let me know if there is anything else that I need to do and we can wrap this up. Thanks so much for your time today.

Mark


----------



## Ried

Hi patmark - sorry about that copy/paste error. That was an explanation of what most of the online scan's findings were. When you carry out the uninstall of ComboFix, the restore points will be flushed and a new restore point automatically set for you.

There is no need to post the ComboFix.txt, please proceed with uninstalling ComboFix.


----------

