Inactive Bamital-AF removal; explorer.exe & winlogon.exe both infected; using taskmanager

[jomon324]

Hello, I'm a first timer here, so I'm gonna try my hardest to do the right things. ***note: I am a fairly inexperienced user in regards to virus destruction, so please bear with me if I sound stupid.***

Allright, so what I started with was Avast! antivirus scanning my computer after around eight different types of windows came up, each saying that they were an antivirus software that I had never used, and an error box entitled "ThinkPoint" which cascaded infinitely while Avast blocked it. I didn't know what to do, so I reset my computer after scheduling a boot scan. (I had been doing homework late, around 1:10 AM when this happened, but I was able to back it up on my external HDD) I ended up cancelling the boot scan because it was so late. The next day, I started up my computer and was greeted with a stupid looking window that said "Think Point, the world's leading innovator in blahblahblah," and two buttons: a greyed-out "Normal Startup" and a green "Safe Startup" which I did NOT click. Instead, I had my dad come in and look at it, and he almost clicked "safe startup," but I was wary and didn't let him. That's when I decided to do research on thinkpoint, and after a few clicks on my ipod touch, I found this site and the tutorial on how to remove malware, as well as several threads about a "Bamital-AC" and thinkpoint itself.

So here I am, and I'm gonna start with the Malwarebytes log because I tried using TFC twice yesterday, and during the start of each scan it made my computer restart, so I'm skipping that step for now.

Malwarebytes' Log: (First scan: yesterday)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4907

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/21/2010 10:56:59 PM
mbam-log-2010-10-21 (22-56-59).txt

Scan type: Quick scan
Objects scanned: 148333
Time elapsed: 6 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 4
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antimalware Doctor Inc (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Antimalware Doctor (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlexetakobiloba (Trojan.Hiloti) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b2} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{c5428486-50a0-4a02-9d20-520b59a9f9b3} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\vinoit.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\bxnxwj.exe (Adware.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\rfpsucoa.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\IFinst27.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk (Rogue.AntiMalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Documents\Server\server.dat (Malware.Trace) -> Quarantined and deleted successfully.

That scan was done yesterday, and today I did a new scan (and "My Computer" still has the windows-doesn't-know-what-this-is icon, aka the paper with three shapes on it) and these are the more recent results:

Malwarebytes Log: (Second scan: today)

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4907

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/22/2010 12:13:07 PM
mbam-log-2010-10-22 (12-13-07).txt

Scan type: Quick scan
Objects scanned: 148648
Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)[\QUOTE]

...However, I still can't use explorer.exe even from taskmanager. If I try and start a new task "explorer.exe," then I get this message:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

 

[jomon324]

***Sidenote: GMER has to be run while I'm disconnected from the internet, correct? If yes, then I'm going to need to know how to connect/disconnect from the internet via taskmanager, or should I just run the program while still connected to the internet?***

Sorry for the double-post.

 

[Bobbye]

Welcome to TechSpot! I'll help with the malware.

ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

Good for you overruling you dad about clicking on one of those choices. Good rule of thumb is not to click on anything if you don't know what it is. This is especially true when it comes to security. The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:

1. Boot into Safe Mode
   • Restart your computer and start pressing the F8 key on your keyboard.
   • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
2. End Task
   Click on Start> Run> type in taskmgr> OK.
   Double click on the frame at the top of the Processes column to sort
   Find hotfix.exe and click to Highlight
   Click on End Task
   
3. Unhide
   Click on Start> Search> All Files and Folders
   Go up to Tools> Folder Options
   Click on the View tab
   Check 'Show hidden files and folders'
   Uncheck 'Hide protected operating system files (Recommended)'
   Click on OK> Apply> OK
   
4. Search
   Go to Search> 'all or part of the name'
   Type in hotfix.exe
   (It should be found in this folder: C:\\Documents and Settings\\User\\Application Data\\hotfix.exe
   Do a right click> Delete on the file
   
5. Rehide the files and folders.

Close
===============================================
Reboot the computer back into Normal Mode
==============================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Let me know how this goes. After I see the Combofix log, I'll decide what comes next. If you have any problem along the way, stop and ask me about it.

 

[jomon324]

Hotfix.exe wasn't running when I opened taskmanager, and the location of it is also different from what you said it was: mine are in C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates and " "\v.1.1.4332\Updates. Should I still delete them? (typing from my iPod as I am currently running in safe mode, so sorry for any text errors)

 

[jomon324]

Just tried to run combofix.exe, and my browser was already closed, but I had taskmanager open, and it made a blue command prompt box for 1/16 of a second, as well as an error with no text and an "i" in a word bubble with "Ok", which I clicked. My computer then restarted, and the blue command prompt appeared again with a message that said there is a parasite file that tried to attach itself to combofix, and it asked me to write down the file location and name, which I did and will now reiterate. C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll and it said it is going to disable the file for now. After I clicked ok, my desktop came back for the first time in two days. Now it is trying to create a system restore point apparently.

 

[jomon324]

Um, slight problem. After scanning and deleting unnecessary files from my PC and fixing winlogon.exe and explorer.exe (thanks a million by the way), combofix came up and said it was creating a log, and told me not to open any programs until it was finished. That's fine, but trillian astra startd up automatically, and an error appeared saying "Error loading C:\WINDOWS\icayitegigusobo.dll The specified module could not be found" and combofix is now running indefinitely, it seems, on creating a log report. The label in the taskbar (start menu blue bar area) says "ComboFix - Find3M" ...and it's just kind of stuck there. Should I close and reopen it?

 

[jomon324]

Log from ComboFix:

(Actually, the first time it tried to create a log, it hanged (hung?), and I couldn't get it to move. So, this is the second log from it. My apologies.)

ComboFix 10-10-22.04 - Owner 10/22/2010 21:17:38.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.554 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\BBCC51E517DBE825F88FD0409D626AEE\enemies-names.txt
c:\documents and settings\Owner\Application Data\BBCC51E517DBE825F88FD0409D626AEE\local.ini
c:\documents and settings\Owner\Application Data\BBCC51E517DBE825F88FD0409D626AEE\lsrslt.ini
c:\documents and settings\Owner\Application Data\Ygage\doxan.tmp
c:\documents and settings\Owner\Application Data\Ygage\doxan.ypx
c:\documents and settings\Owner\Local Settings\Application Data\{1068339F-B76B-4FD8-8724-685ADD2C2EB1}\chrome.manifest
c:\documents and settings\Owner\Local Settings\Application Data\{1068339F-B76B-4FD8-8724-685ADD2C2EB1}\chrome\content\_cfg.js
c:\documents and settings\Owner\Local Settings\Application Data\{1068339F-B76B-4FD8-8724-685ADD2C2EB1}\chrome\content\overlay.xul
c:\documents and settings\Owner\Local Settings\Application Data\{1068339F-B76B-4FD8-8724-685ADD2C2EB1}\install.rdf
c:\windows\expert\Apps\Help.ico
c:\windows\expert\Apps\Home.exe
c:\windows\expert\Apps\Install.ico
c:\windows\expert\Apps\PDF.ICO
c:\windows\expert\Apps\Readme.ico
c:\windows\expert\Apps\Register.exe
c:\windows\expert\Apps\Support.exe
c:\windows\expert\X6820.INI
c:\windows\expert\X6820REG.INI
c:\windows\expert\XSNCR.INI
c:\windows\icayitegigusobo.dll
c:\windows\system32\drivers\hwinterface.sys
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

-- Previous Run --

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

--------

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_hwinterface
-------\Service_hwinterface


((((((((((((((((((((((((( Files Created from 2010-09-23 to 2010-10-23 )))))))))))))))))))))))))))))))
.

2010-10-21 07:48 . 2010-10-21 07:48 191 ----a-w- c:\documents and settings\Owner\Application Data\7130.bat
2010-10-21 07:48 . 2010-10-21 07:48 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-10-21 07:48 . 2010-10-22 02:27 -------- d-----w- c:\documents and settings\Owner\Application Data\Tadi
2010-10-13 01:02 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 01:02 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 01:02 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-09-28 05:23 . 2010-09-28 05:23 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-09-28 05:14 . 2010-09-28 05:24 -------- d-----w- c:\documents and settings\Owner\Application Data\HP
2010-09-28 05:13 . 2009-04-16 21:08 312832 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70v.dll
2010-09-28 05:13 . 2009-04-16 21:08 123904 ----a-w- c:\windows\system32\hpf3l70v.dll
2010-09-28 05:13 . 2009-04-15 20:53 452408 ----a-r- c:\windows\system32\hpzids01.dll
2010-09-28 05:12 . 2009-02-10 19:03 966656 ----a-r- c:\windows\system32\hpost_p02c.dll
2010-09-28 05:12 . 2009-02-10 19:03 712704 ----a-r- c:\windows\system32\hposwia_p02c.dll
2010-09-28 05:12 . 2009-02-10 19:03 315392 ----a-r- c:\windows\system32\hposc_p02a.dll
2010-09-28 05:12 . 2008-10-28 09:27 372736 ----a-r- c:\windows\system32\hppldcoi.dll
2010-09-28 05:12 . 2008-10-28 09:27 309760 ----a-r- c:\windows\system32\difxapi.dll
2010-09-28 05:12 . 2001-08-17 20:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2010-09-28 05:12 . 2001-08-17 20:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2010-09-28 05:11 . 2010-09-28 05:11 -------- d-----w- c:\program files\Coupons
2010-09-28 05:10 . 2010-09-28 05:10 -------- d-----w- c:\program files\HP Photo Creations
2010-09-28 05:10 . 2010-09-28 05:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Photo Creations
2010-09-28 05:10 . 2010-10-06 06:15 -------- d-----w- c:\documents and settings\Owner\Application Data\HpUpdate
2010-09-28 05:09 . 2010-09-28 05:09 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-09-28 05:08 . 2010-09-28 05:08 -------- d-----w- c:\program files\Common Files\HP
2010-09-28 05:08 . 2010-09-28 05:08 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-09-28 05:08 . 2010-09-28 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-09-28 05:06 . 2008-04-13 18:47 25856 -c--a-w- c:\windows\system32\dllcache\usbprint.sys
2010-09-28 05:06 . 2008-04-13 18:47 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-09-28 05:05 . 2010-09-28 05:10 -------- d-----w- c:\program files\HP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 19:23 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2001-08-23 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2001-08-23 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-07 15:12 . 2010-08-05 02:08 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2010-08-05 02:08 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2010-08-05 02:08 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2010-08-05 02:08 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2010-08-05 02:08 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2010-08-05 02:08 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2010-08-05 02:08 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2010-08-05 02:08 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2010-08-05 02:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-01 11:51 . 2001-08-23 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2001-08-23 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2001-08-23 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2001-08-23 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-14 22:55 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2001-08-23 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2001-08-23 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-08-10 12:15 . 2010-08-10 12:15 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-08-10 12:15 . 2010-08-10 12:15 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-07-28 01:44 . 2010-07-28 01:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-28 01:44 . 2010-07-28 01:44 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-07-28 01:44 . 2010-07-28 01:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-28 01:44 . 2010-07-28 01:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2004-03-16 01:51 . 2004-03-16 01:51 114688 -c--a-w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 18:32 . 2006-01-23 18:32 131072 -c--a-w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 18:48 . 2007-02-08 18:48 133920 ----a-w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-25 03:03 . 2007-07-25 03:03 118784 ----a-w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfre0.dll" [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ecdee021-0d17-467f-a1ff-c7a115230949}]
2010-05-18 00:34 2515552 ----a-w- c:\program files\free-downloads.net\tbfre0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfre0.dll" [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{ECDEE021-0D17-467F-A1FF-C7A115230949}"= "c:\program files\free-downloads.net\tbfre0.dll" [2010-05-18 2515552]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-10-13 133104]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-08 131072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-23 202256]
"avast5"="d:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"AirPort Base Station Agent"="d:\program files\Airport\APAgent.exe" [2009-11-11 771360]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
Trillian.lnk - d:\program files\Trillian\trillian.exe [2010-8-23 2068832]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
NETGEAR WPN311 Smart Wizard.lnk - c:\program files\NETGEAR\WPN311\wlancfg5.exe [2006-12-4 1503232]
Run Nintendo Wi-Fi USB Connector Registration Tool.lnk - c:\program files\WiFiConnector\NintendoWFCReg.exe [2010-4-1 1073152]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\utorrent\\utorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\frd.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"d:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Airport\\APAgent.exe"=
"d:\\Program Files\\Airport\\APUtil.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57275:TCP"= 57275:TCPando Media Booster
"57275:UDP"= 57275:UDPando Media Booster
"5353:UDP"= 5353:UDP:Bonjour

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 9:08 PM 15448]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [8/4/2010 7:08 PM 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/4/2010 7:08 PM 17744]
R2 ni488enumsvc;NI-488.2 Enumeration Service;c:\windows\system32\nipalsm.exe [2/16/2007 12:21 PM 12696]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2/16/2007 12:21 PM 12696]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [2/22/2007 1:18 PM 11552]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [7/19/2007 12:56 PM 11360]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [7/16/2008 2:30 PM 3032360]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/28/2008 4:40 PM 24652]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [7/12/2007 7:18 PM 11360]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [7/24/2007 1:19 PM 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [7/13/2007 9:00 PM 11360]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [7/16/2008 2:30 PM 15144]
S2 EZWINIT;EZWINIT;c:\windows\system32\drivers\ezwinit.sys [6/6/2005 10:18 AM 14494]
S2 EZWRITER;EZWRITER;c:\windows\system32\drivers\ezwriter.sys [1/12/2006 4:09 PM 12544]
S2 gupdate1c8e2652b6be648;Google Update Service (gupdate1c8e2652b6be648);c:\program files\Google\Update\GoogleUpdate.exe [7/17/2008 12:27 PM 133104]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 EloBus;Elobus Filter Driver;c:\windows\system32\drivers\EloBus.sys [12/26/2007 9:56 AM 14848]
S3 elomoufiltr;ELO TouchSystems-SRV2;c:\windows\system32\drivers\EloFiltr.sys [12/26/2007 9:56 AM 28160]
S3 EloSer;Elo Serial Driver;c:\windows\system32\drivers\EloSer.Sys [12/26/2007 9:56 AM 81408]
S3 EloUsb;ELO TouchSystems-SRV;c:\windows\system32\drivers\EloUsb.sys [12/26/2007 9:56 AM 66560]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 LJ_Usb;LabJack USB Driver;c:\windows\system32\drivers\LabJackusb.sys [7/6/2007 1:23 PM 25654]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [1/11/2007 11:18 AM 20256]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [2/22/2007 1:40 PM 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [2/22/2007 1:43 PM 11552]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [5/25/2007 2:26 PM 22360]
S3 ni488lock;NI-488.2 Locking Service;c:\windows\system32\drivers\ni488lock.sys [2/26/2007 1:40 PM 16672]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [7/15/2007 6:44 PM 11352]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [7/13/2007 11:38 PM 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [7/19/2007 4:06 AM 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [7/24/2007 8:37 PM 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [7/24/2007 8:37 PM 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [7/15/2007 7:31 PM 11352]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [7/18/2007 11:47 AM 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [6/21/2007 1:19 AM 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [6/21/2007 1:19 AM 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [7/13/2007 9:01 PM 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [7/19/2007 2:49 PM 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [7/18/2007 10:11 PM 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [7/18/2007 10:12 PM 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [2/22/2007 1:45 PM 20768]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [7/19/2007 3:32 AM 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [7/17/2007 1:27 AM 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [7/16/2007 1:52 PM 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [7/19/2007 3:32 AM 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [7/24/2007 8:37 PM 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [7/15/2007 5:48 PM 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [7/15/2007 6:50 PM 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [7/17/2007 5:18 AM 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [7/18/2007 11:15 PM 11360]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [7/19/2007 12:48 PM 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [7/19/2007 12:56 PM 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [7/24/2007 8:37 PM 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [7/24/2007 8:38 PM 11336]
S3 nixsrkw;nixsrkw;c:\windows\system32\drivers\nixsrkw.sys [7/24/2007 8:38 PM 11336]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]
S4 dacfddfcadbca;09d248a3323fd52eedfcb4187aac582b;c:\windows\dacfddfcadbca.exe /s --> c:\windows\dacfddfcadbca.exe [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [4/6/2008 11:24 PM 721904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - NIPALK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-10-22 c:\windows\Tasks\Auslogics Console Defragmentation.job
- c:\program files\Auslogics\Auslogics BoostSpeed\cdefrag.exe [2010-01-10 01:44]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 21:22]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-07-17 21:22]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1767777339-839522115-1003Core.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 12:05]

2010-10-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1390067357-1767777339-839522115-1003UA.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-08 12:05]

2010-10-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-1767777339-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-1767777339-839522115-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-10-23 c:\windows\Tasks\VersionCheck.job
- c:\documents and settings\All Users\Application Data\WSTB\drv8.0.3.exe [2010-10-20 15:37]

2010-01-12 c:\windows\Tasks\videopadSevenDaysInit.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 05:12]

2010-05-04 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2010-01-12 05:12]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Owner\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1396957&SearchSource=3&q=
FF - prefs.js: browser.search.selectedEngine - Web Search
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\extensions\{f592709f-ff4a-4862-b659-4afabda56312}\components\RadioWMPCore.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBook.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpClipBookDB.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpNeoLogger.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSaturn.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartSelect.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSmartWebPrinting.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpSWPOperation.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPLogging.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTC.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXPMTL.dll
FF - component: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\components\hpXREStub.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3\plugins\nphpclipbook.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV80Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPLV82Win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\nplv85win32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\OverTheEdge\Unity\WebPlayer\loader\npUnityWeb32.dll
FF - plugin: c:\program files\Sony\Media Go\npmediago.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101066100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.search-clsid", "{042BEB8A-AFDF-44C7-961E-6D5D7A8E55A7}");
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ahofoteho - c:\windows\icayitegigusobo.dll
AddRemove-Cave Story Deluxe - f:\cave_story_deluxe\Uninstal.exe
AddRemove-EloTouchscreen - c:\program files\EloTouchSystems\EloSetup
AddRemove-M2416447 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-M928367 - c:\windows\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe
AddRemove-M979906 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-pepakura_designer2_en - f:\pepakura\epuninst.exe
AddRemove-Ragnarok Online - c:\windows\IFinst27.exe
AddRemove-Ragnarok Sakray - c:\windows\IFinst27.exe
AddRemove-Sonic 3D - f:\sonic3dpc\directx\setup
AddRemove-StepMania - f:\stepmania\uninstall.exe
AddRemove-Super Card_is1 - f:\supercard lite\SC\unins000.exe
AddRemove-_{0C180787-F8C8-42FD-A9D3-689BA44BEAAF} - d:\corel painter essentials 3\MSILauncher {0C180787-F8C8-42FD-A9D3-689BA44BEAAF}
AddRemove-Advanced Archive Password Recovery - c:\documents and settings\Owner\Desktop\STUFF\rarpasscrack\Advanced Archive Password Recovery\uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-22 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5AFADB1B-327F-CFDA-C903-91EC12F1671A}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iadmfakclipfcffjbe"=hex:6a,61,6e,68,6e,6b,63,6b,63,6e,6e,6b,63,70,61,6d,6f,6d,
6f,69,00,f1
"hajkpaihflpjiodd"=hex:6a,61,61,69,6b,6b,63,64,66,6c,6f,6d,66,6a,6c,61,6b,6c,
6e,70,00,00

[HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:b9,90,01,6b,c6,fc,7a,94,a1,68,01,47,4e,4d,a6,68,f8,96,91,1c,7d,e6,23,
23,17,0d,a7,86,ec,2e,5f,50,ba,6f,60,cb,74,58,1e,d0,09,35,02,02,05,c2,d6,e9,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4852)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\ieframe.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\msi.dll
.
Completion time: 2010-10-22 21:25:38
ComboFix-quarantined-files.txt 2010-10-23 04:25

Pre-Run: 15,257,300,992 bytes free
Post-Run: 15,209,902,080 bytes free

- - End Of File - - 23FE633A1F54D4ADFE824BE10B7589F6

 

[Bobbye]

Okay, a couple of things: You don't need to put the logs in Quotes. This actually cuts down on the screen space available.

Run the script below, save the logs as instructed and include it in the next reply. When you have finished, please go on to my next reply with online AV scan instructions. I followed that with some comments ans suggestions.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
e:\fxdrv.sys
c:\windows\system32\drivers\usb6xxxkl.sys
c:\windows\dacfddfcadbca.exe /s
c:\windows\system32\GameMon.des -service

Extra::
File::
c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
Firefox::
Firefox-: - Profile- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\
Firefox-: prefs.js - SEARCH.DEFAULTURL 

RegNull::
[HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5AFADB1B-327F-CFDA-C903-91EC12F1671A}*]
[HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

Driver::
FXDRV
usb6xxxk
dacfddfcadbca
npggsvc

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.

Please go on go the next Reply.

 

[Bobbye]

Following the run of the script in Combofix:
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

============================================
Freez Online TV Toolbar
You have several Registry processes loading the Freez Online TV Toolbar for BHO (Browser Helper Object, Toolbar and 'Shell Execute Hooks' (SH). This type of toolbar, Conduit toolbars are reputed to have a certain trackware functionality. The name of the program and site, Free-Downloads.net, is all for freeware and shareware. While the program itself is legitimate, most of these programs are bundled with a generous amount of adware and some with spyware. I recommend that his be removed. I can do most of it using script again in Combofix.

National Instruments Driver Software
It looks like you installed a large number of drivers for National Instruments Driver Software in July of 2007. It has been known to cause Blue Screen or Continuous Reboots. This is legitimate software but requires a great number of drivers to run. You can read more about that on their Knowledge Base HERE. Consider removing these entries unless you are still actively using them. I can also do that with script.

hotfix.exe

Hotfix.exe wasn't running when I opened taskmanager, and the location of it is also different from what you said it was: mine are in C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates and " "\v.1.1.4332\Updates. Should I still delete them?

No, these are legitimate processes. This is not the same process for that would have been located in (It should be found in this folder: C:\\Documents and Settings\\User\\Application Data\\hotfix.exe. It is possible that the malware hotfix.exe didn't start in Safe Mode.

Scheduled Tasks
Most of these are usually for are auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.
Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
To change the settings for a task: right-click the Task> click Properties> do any of the following:

1. To change the schedule for the task, click the Schedule tab.
2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
3. To delete a task> right-click the task> click Delete.
4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

Suggest deleting these tasks:
RealUpgradeScheduledTask
RealUpgradeLogonTask
VersionCheck.job
c:\documents and settings\All Users\Application Data\WSTB\drv8.0.3.exe> radio station
These last 2 are part of the NCH Software for "Video Converter, Capture Streaming Video, Video Broadcast Software and more..."
videopadSevenDaysInit.
videopadShakeIcon

Maintenance scheduled tasks are a separate category.
====================================
One more scan after this and you should be okay.