Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

IE hijacked, 4 spyware program later, need help with hijackthis log


  • This topic is locked This topic is locked
8 replies to this topic

#1 dsapper

dsapper

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 11 February 2009 - 09:13 PM

As the title states, I've run webroot spy sweeper, adaware, spyware doctor, windows defender, and ashampoo anti spyware lol. I have found nothing except for some cookies. Its sporatic but it redirects searches only to yellowpages.com ect, nothing when I put the direct address in the bar and no issues when I use firefox, safari ect.

I downloaded and ran hijack this and wanted to see if anyone could translate the log for me and point me in the right direction. I also renamed hijack this to scanner.exe before I ran it, I heard that some spyware can avoid the program if you dont do that /shrug

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:17 PM, on 2/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
H:\WINDOWS\eHome\ehRecvr.exe
H:\WINDOWS\eHome\ehSched.exe
H:\Program Files\LogMeIn\x86\RaMaint.exe
H:\PROGRA~1\Grisoft\AVG7\avgcc.exe
H:\WINDOWS\stsystra.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\Program Files\LogMeIn\x86\LogMeIn.exe
H:\Program Files\LogMeIn\x86\LogMeInSystray.exe
H:\Program Files\LogMeIn\x86\LMIGuardian.exe
H:\Program Files\LogMeIn\x86\LMIGuardian.exe
H:\Program Files\Common Files\Real\Update_OB\realsched.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\System32\visualtasktips.exe
H:\Program Files\CyberLink\Shared files\RichVideo.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
H:\WINDOWS\system32\dllhost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Reynolds\ERALink\ERALink32.exe
H:\PROGRA~1\Reynolds\ERALink\wIntegSm.exe
H:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
H:\Program Files\Internet Explorer\iexplore.exe
H:\WINDOWS\system32\wuauclt.exe
H:\WINDOWS\system32\msiexec.exe
H:\WINDOWS\system32\SearchIndexer.exe
H:\WINDOWS\system32\wuauclt.exe
H:\Program Files\Internet Explorer\IEXPLORE.EXE
H:\WINDOWS\system32\SearchProtocolHost.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\Trend Micro\HijackThis\SCANNER.exe
H:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {23E8FFB5-C109-3207-8BDF-01CFDAD3700D} - H:\WINDOWS\system32\gl30372.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - H:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - H:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] "H:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] "H:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "H:\WINDOWS\stsystra.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "H:\WINDOWS\system32\RUNDLL32.EXE" H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "H:\WINDOWS\system32\nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "H:\WINDOWS\system32\RUNDLL32.EXE" H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "H:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "H:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [TkBellExe] "H:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] H:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [VisualTaskTips] "H:\WINDOWS\System32\visualtasktips.exe"
O4 - HKCU\..\Run: [ctfmon.exe] "H:\WINDOWS\system32\ctfmon.exe"
O4 - HKUS\S-1-5-20\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [UltimateServices] H:\WINDOWS\System32\ultsvcs.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [VisualTaskTips] H:\WINDOWS\System32\visualtasktips.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TopDesk] H:\WINDOWS\System32\topdesk.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "H:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = H:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://H:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - H:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - H:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - H:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - H:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - H:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - H:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - H:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - H:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - H:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - H:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10851 bytes

Any help would be appriciated, thanks

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:45 PM

Posted 12 February 2009 - 02:02 AM

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 dsapper

dsapper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 12 February 2009 - 01:11 PM

Thanks for your help so far. I disabled every virus/spyware program I have. A few were still running in the task manager (avg and adaware only actually) so I closed those out but left every other proccess running. Here is the log, I hope you can figure something out... thanks in advance

ComboFix 09-02-11.03 - Abomination 2009-02-12 8:48:59.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3080 [GMT -8:00]
Running from: h:\users\Abomination\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\windows\system32\bin
h:\windows\system32\bin\brutalchess.exe
h:\windows\system32\bin\freetype6.dll
h:\windows\system32\bin\jpeg.dll
h:\windows\system32\bin\libpng12.dll
h:\windows\system32\bin\libtiff.dll
h:\windows\system32\bin\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest
h:\windows\system32\bin\Microsoft.VC80.CRT\msvcm80.dll
h:\windows\system32\bin\Microsoft.VC80.CRT\msvcp80.dll
h:\windows\system32\bin\Microsoft.VC80.CRT\msvcr80.dll
h:\windows\system32\bin\SDL.dll
h:\windows\system32\bin\SDL_image.dll
h:\windows\system32\bin\zlib1.dll
h:\windows\system32\Updater.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2019-09-25 14:40 . 2019-09-25 14:40 20,480 --a------ h:\windows\system32\APITypes.dll
2009-02-11 18:01 . 2009-02-11 18:01 <DIR> d-------- h:\program files\Trend Micro
2009-02-11 10:06 . 2009-02-11 10:06 <DIR> d-------- h:\users\Abomination\OneNote Notebooks
2009-02-11 10:06 . 2009-02-11 10:06 <DIR> d-------- h:\users\Abomination\OneNote Notebooks
2009-02-11 09:07 . 2009-02-11 09:07 101 --a------ h:\windows\OPHE.ini
2009-02-07 20:30 . 2009-02-07 20:30 <DIR> d-------- h:\users\Abomination\Application Data\TuneUp Software
2009-02-07 20:30 . 2009-02-07 20:31 <DIR> d-------- h:\program files\TuneUp Utilities 2006
2009-02-07 20:30 . 2006-10-05 19:26 24,072 --a------ h:\windows\system32\uxtuneup.dll
2009-02-07 20:29 . 2009-02-07 20:29 <DIR> d-------- h:\users\All Users\Application Data\TuneUp Software
2009-02-07 20:28 . 2009-02-07 20:28 8 -r-hs---- h:\windows\system32\5CA6B4F465.sys
2009-02-07 20:27 . 2009-02-07 20:27 <DIR> d-------- h:\program files\Ashampoo
2009-02-07 20:26 . 2009-02-07 20:26 <DIR> d-------- h:\program files\Common Files\xing shared
2009-02-07 20:25 . 2009-02-07 20:25 <DIR> d-------- h:\program files\Real
2009-02-07 20:25 . 2009-02-07 20:26 <DIR> d-------- h:\program files\Common Files\Real
2009-02-07 20:24 . 2009-02-07 20:25 <DIR> d-------- h:\users\Abomination\PcSetup
2009-02-07 20:24 . 2009-02-07 20:25 <DIR> d-------- h:\users\Abomination\PcSetup
2009-02-07 20:24 . 2009-02-07 20:24 <DIR> d-------- h:\program files\DVDXCopyInternational
2009-02-07 20:24 . 2009-02-07 20:24 39,488 --a------ h:\windows\system32\drivers\Pcouffin.sys
2009-02-07 20:24 . 2001-03-08 18:30 24,064 --------- h:\windows\system32\msxml3a.dll
2009-02-07 20:23 . 2009-02-07 20:23 <DIR> d-------- h:\program files\DAEMON Tools
2009-02-07 20:22 . 2009-02-07 20:23 <DIR> d-------- h:\program files\XP Codec Pack
2009-02-07 20:22 . 2009-02-07 20:24 <DIR> d-------- h:\program files\CyberLink
2009-02-07 20:20 . 2009-02-07 20:20 <DIR> d-------- h:\program files\Common Files\Logitech
2009-02-07 13:22 . 2009-02-11 17:51 1,374 --a------ h:\windows\imsins.BAK
2009-02-06 12:47 . 2009-02-06 12:47 178,688 --a------ h:\program files\KB50638.exe
2009-02-06 12:47 . 2009-02-06 12:47 172,032 --a------ h:\windows\system32\gl30372.dll
2009-02-06 10:55 . 2009-02-06 11:11 <DIR> d-------- h:\users\Abomination\SimCity 4
2009-02-06 10:55 . 2009-02-06 11:11 <DIR> d-------- h:\users\Abomination\SimCity 4
2009-02-06 10:32 . 2009-02-06 10:32 <DIR> d-------- h:\program files\Electronic Arts
2009-02-06 10:09 . 2009-02-06 10:09 532 --a------ h:\windows\eReg.dat
2009-02-06 10:08 . 2009-02-06 10:08 <DIR> d-------- h:\program files\Maxis
2009-02-06 09:49 . 2009-02-07 20:47 <DIR> d-------- h:\program files\Starcraft
2009-02-06 09:49 . 2009-02-06 09:53 94,208 --a------ h:\windows\ScUnin.exe
2009-02-06 09:49 . 2009-02-06 09:53 31,604 --a------ h:\windows\scunin.dat
2009-02-06 09:49 . 2009-02-06 09:53 967 --a------ h:\windows\ScUnin.pif
2009-02-06 08:05 . 2009-02-06 08:05 <DIR> d-------- h:\users\Abomination\OkiData
2009-02-06 08:05 . 2009-02-06 08:05 <DIR> d-------- h:\users\Abomination\OkiData
2009-02-06 08:04 . 2009-02-06 08:04 34,896 --a------ h:\windows\system32\OPHE_M00.cah
2009-02-06 08:04 . 2009-02-06 08:04 17,484 --a------ h:\windows\system32\OP5100V2.cah
2009-02-05 18:25 . 2009-02-05 18:25 <DIR> d-------- h:\users\All Users\Application Data\2DBoy
2009-02-05 18:24 . 2009-02-05 18:25 <DIR> d-------- h:\program files\WorldOfGoo
2009-02-05 17:26 . 2008-04-17 13:12 107,368 --a------ h:\windows\system32\GEARAspi.dll
2009-02-05 17:26 . 2008-04-17 13:12 15,464 --a------ h:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-05 17:25 . 2009-02-05 17:26 <DIR> d-------- h:\users\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 17:25 . 2009-02-05 17:26 <DIR> d-------- h:\program files\iTunes
2009-02-05 17:25 . 2009-02-05 17:25 <DIR> d-------- h:\program files\iPod
2009-02-05 17:23 . 2009-02-05 17:25 <DIR> d-------- h:\users\All Users\Application Data\Apple Computer
2009-02-05 17:23 . 2009-02-05 17:24 <DIR> d-------- h:\program files\QuickTime
2009-02-05 17:21 . 2009-02-05 17:25 <DIR> d-------- h:\program files\Common Files\Apple
2009-02-05 16:34 . 2009-02-05 16:34 <DIR> d-------- h:\users\LocalService\Application Data\Webroot
2009-02-05 16:10 . 2009-02-05 16:16 <DIR> d-------- h:\program files\Enigma Software Group
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\users\All Users\Application Data\Webroot
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\users\Abomination\Application Data\Webroot
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\program files\Webroot
2009-02-05 15:18 . 2008-08-09 16:04 1,538,928 --a------ h:\windows\WRSetup.dll
2009-02-05 15:06 . 2009-02-05 15:14 <DIR> d-------- h:\users\All Users\Application Data\Lavasoft
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- h:\program files\Lavasoft
2009-02-05 15:05 . 2009-02-07 20:29 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2009-02-05 14:41 . 2009-02-05 14:41 <DIR> d-------- h:\users\Abomination\Application Data\PC Tools
2009-02-05 14:41 . 2009-02-10 15:56 <DIR> d-------- h:\program files\Spyware Doctor
2009-02-05 14:41 . 2008-08-25 11:36 81,288 --a------ h:\windows\system32\drivers\iksyssec.sys
2009-02-05 14:41 . 2008-08-25 11:36 66,952 --a------ h:\windows\system32\drivers\iksysflt.sys
2009-02-05 14:41 . 2008-08-25 11:36 40,840 --a------ h:\windows\system32\drivers\ikfilesec.sys
2009-02-05 14:41 . 2008-06-02 15:19 29,576 --a------ h:\windows\system32\drivers\kcom.sys
2009-02-05 13:48 . 2009-02-05 16:36 <DIR> d-------- h:\users\Abomination\Application Data\AdobeUM
2009-02-05 13:36 . 2009-02-05 13:36 <DIR> d-------- h:\users\Abomination\Bioshock
2009-02-05 13:36 . 2009-02-05 13:36 <DIR> d-------- h:\users\Abomination\Bioshock
2009-02-05 13:10 . 2009-02-12 08:29 241 --a------ h:\windows\ODBC.INI
2009-02-05 13:09 . 2009-02-05 13:09 <DIR> d-------- h:\program files\Snapshot Viewer
2009-02-05 13:09 . 2009-02-05 13:11 <DIR> d-------- h:\program files\SalezTrack
2009-02-05 13:00 . 2009-02-05 13:00 <DIR> d-------- h:\program files\Citrix
2009-02-05 12:58 . 2009-02-05 12:58 <DIR> d-------- h:\users\Abomination\ERALink32
2009-02-05 12:58 . 2009-02-05 12:58 <DIR> d-------- h:\users\Abomination\ERALink32
2009-02-05 12:58 . 2009-02-05 12:58 60,744 --a------ h:\users\Abomination\g2mdlhlpx.exe
2009-02-05 12:58 . 2009-02-05 12:58 60,744 --a------ h:\users\Abomination\g2mdlhlpx.exe
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\users\All Users\Application Data\Reynolds
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\users\All Users\Application Data\IBM
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\program files\Reynolds
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\program files\Common Files\Reynolds
2009-02-05 12:55 . 2009-02-05 12:56 110 --a------ h:\windows\{34B85F58-4EA1-40F2-A658-DA3CE5D19820}_WiseFW.ini
2009-02-04 22:49 . 2009-02-04 22:49 <DIR> d-------- h:\users\All Users\Application Data\Fallout3
2009-02-04 22:49 . 2009-02-04 22:49 <DIR> d-------- h:\program files\Bethesda Softworks
2009-02-04 22:19 . 2009-02-04 22:42 <DIR> d-------- h:\program files\Bioshock
2009-02-04 21:30 . 2009-02-04 21:30 178,688 --a------ h:\program files\KB47614.exe
2009-02-04 21:30 . 2009-02-04 21:30 172,032 --a------ h:\windows\system32\wti29595.dll
2009-02-04 21:30 . 2009-02-04 21:30 172,032 --a------ h:\windows\system32\ti29595.dll
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Videos
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Pictures
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Stationery
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Received Files
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Music
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Microsoft Games
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Downloads
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Documents
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Contacts
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\TrueTransparency
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\RKLauncher
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\OtakuSoftware
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\Nero
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\LClock
2009-02-04 20:53 . 2008-05-27 17:33 <DIR> d-------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\ESTsoft
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Videos
2009-02-04 20:53 . 2008-05-27 17:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Templates
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Start Menu
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\SendTo
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Recent
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\PrintHood
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Pictures
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\NetHood
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Stationery
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Received Files
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Music
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Microsoft Games
2009-02-04 20:53 . 2009-02-12 09:36 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Local Settings
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Favorites
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Downloads
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Documents
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Desktop
2009-02-04 20:53 . 2008-05-27 17:17 <DIR> d--hs---- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Cookies
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Contacts
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> d-ah----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data
2009-02-04 20:53 . 2009-02-04 23:00 <DIR> d-------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD
2009-02-04 20:53 . 2009-02-04 21:14 487,424 --ah----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\NTUSER.DAT
2009-02-04 20:40 . 2009-02-04 20:40 118,520 --------- h:\windows\system32\pxinsi64.exe
2009-02-04 20:40 . 2009-02-04 20:40 116,472 --------- h:\windows\system32\pxcpyi64.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 16:38 --------- d-----w h:\users\All Users\Application Data\avg7
2009-02-12 03:01 --------- d-----w h:\users\Abomination\Application Data\AVG7
2009-02-09 16:26 --------- d-----w h:\users\Abomination\Application Data\uTorrent
2009-02-08 04:22 --------- d--h--w h:\program files\InstallShield Installation Information
2009-02-08 04:22 --------- d-----w h:\program files\Common Files\InstallShield
2009-02-06 01:26 --------- d-----w h:\users\Abomination\Application Data\Apple Computer
2009-02-05 01:43 --------- d-----w h:\program files\Common Files\Adobe
2008-12-20 23:15 826,368 ----a-w h:\windows\system32\wininet.dll
2008-12-08 11:53 57,344 ----a-w h:\windows\system32\ff_vfw.dll
2008-01-22 03:51 121 ---ha-w h:\program files\desktop.ini
2009-02-10 15:51 67,688 ----a-w h:\program files\mozilla firefox\components\jar50.dll
2009-02-10 15:51 54,368 ----a-w h:\program files\mozilla firefox\components\jsd3250.dll
2009-02-10 15:51 34,944 ----a-w h:\program files\mozilla firefox\components\myspell.dll
2009-02-10 15:51 46,712 ----a-w h:\program files\mozilla firefox\components\spellchk.dll
2009-02-10 15:51 172,136 ----a-w h:\program files\mozilla firefox\components\xpinstal.dll
2008-05-28 01:51 16,384 --sha-w h:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 16:12 578560 b26b135ff1b9f60c9388b4a7d16f600b h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\user32.dll
2008-03-27 15:51 578048 b61badb44342a37edf5f91b4af44c879 h:\windows\system32\user32.dll

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e h:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d h:\windows\system32\dllcache\tcpip.sys
2007-10-11 07:44 361088 270684847a8ef5c51fff58457e4dc8c6 h:\windows\system32\drivers\tcpip.sys
2007-10-11 07:44 361088 270684847a8ef5c51fff58457e4dc8c6 h:\windows\system32\syscache\tcpip.sys

2008-03-27 15:50 1424384 22908a9cefebb3eb06088dfa58ada9e6 h:\windows\explorer.exe
2008-04-13 16:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23E8FFB5-C109-3207-8BDF-01CFDAD3700D}]
2009-02-06 12:47 172032 --a------ h:\windows\system32\gl30372.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2007-12-13 21:02 96552 --a------ h:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="h:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-03-20 15360]
"Google Update"="h:\users\Abomination\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-29 590848]
"SigmatelSysTrayApp"="h:\windows\stsystra.exe" [2005-03-22 339968]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="h:\windows\system32\nwiz.exe" [2008-09-17 1657376]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"LogMeIn GUI"="h:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"LanguageShortcut"="h:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"TkBellExe"="h:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-07 185896]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SpySweeper"="h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="h:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"UltimateServices"="h:\windows\System32\ultsvcs.exe" [2008-01-31 256777]
"VisualTaskTips"="h:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"TopDesk"="h:\windows\System32\topdesk.exe" [2007-11-15 1937920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

h:\users\Abomination\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "h:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 h:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 h:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 h:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 07:58 217544 h:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 11:21 57344 h:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 h:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-12-13 21:02 1082152 h:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 11:36 1168264 h:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 h:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 h:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 h:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 h:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"TapiSrv"=3 (0x3)
"ose"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"McrdSvc"=2 (0x2)
"LBTServ"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor7.0"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"UltimateServices"="h:\windows\System32\ultsvcs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="h:\program files\DAEMON Tools\daemon.exe" -lang 1033
"RemoteControl"="h:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="h:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SpySweeper"="h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"h:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
"h:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
"h:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"h:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"h:\\Program Files\\Reynolds\\ERALink\\wIntegSM.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Starcraft\\StarCraft.exe"=

R0 ssfs0bbc;ssfs0bbc;h:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R2 LMIInfo;LogMeIn Kernel Information Provider;h:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;h:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-01 47640]
S2 WinDefend;Windows Defender;h:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 bcgame;Nostromo HID Device Minidriver;h:\windows\system32\drivers\bcgame.sys --> h:\windows\system32\drivers\bcgame.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;h:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-05 356920]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;h:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 NeroRegInCDSrv;Nero Registry InCD Service;h:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2007-12-13 50984]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 h:\windows\Tasks\1-Click Maintenance.job
- h:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 16:09]

2009-02-07 h:\windows\Tasks\AppleSoftwareUpdate.job
- h:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-02-12 h:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-1547161642-1606980848-1004.job
- h:\users\Abomination\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 08:11]

2009-02-06 h:\windows\Tasks\wrSpySweeperFullSweep.job
- h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]

2009-02-06 h:\windows\Tasks\wrSpySweeperFullSweep.job
- h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-08-09 16:04]

2009-02-06 h:\windows\Tasks\wrSpySweeperFullSweep.job
- A:\ []
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-RunOnce-RTUserConfig - h:\windows\System32\rtusercfg.exe


.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - h:\users\Abomination\Application Data\Mozilla\Firefox\Profiles\ddkrqurq.default\
FF - component: h:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: h:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 09:42:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1547161642-1606980848-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,0d,93,e4,4d,b9,5a,34,61,23,8d,aa,31,cd,72,80,4f,98,dc,0d,dc,20,69,
66,7c,ae,89,97,30,70,af,29,c6,f8,d8,19,8d,28,68,58,90,62,a9,c6,ee,81,dd,36,\
"??"=hex:42,a0,07,3f,7e,7e,fa,03,9e,17,7f,c0,c1,e2,c5,3d

[HKEY_USERS\S-1-5-21-1644491937-1547161642-1606980848-1004\Software\SecuROM\License information*]
"datasecu"=hex:05,c2,10,55,2e,66,a6,5d,e8,ec,4a,bf,8a,29,51,6a,34,7b,07,2c,22,
4c,ce,73,50,e5,11,ee,e0,27,c9,10,56,32,06,c7,94,46,e2,28,52,4d,67,2d,32,8e,\
"rkeysecu"=hex:d6,3a,31,d8,71,67,f1,fd,0a,c3,aa,ad,b1,ec,13,0c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
h:\windows\system32\SETUPAPI.dll
h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
h:\windows\system32\LMIinit.dll
h:\program files\common files\logishrd\bluetooth\LBTServ.dll
h:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(860)
h:\windows\system32\setupapi.dll

- - - - - - - > 'explorer.exe'(1344)
h:\windows\System32\VttHooks.dll
h:\windows\system32\COMRes.dll
h:\program files\Nero\Nero8\InCD\NBHShx.dll
h:\program files\Nero\Nero8\InCD\NBHStr.dll
h:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
h:\windows\system32\SETUPAPI.dll
h:\windows\System32\cscui.dll
h:\progra~1\WINDOW~2\wmpband.dll
h:\windows\system32\msi.dll
h:\windows\system32\NETSHELL.dll
h:\windows\system32\credui.dll
h:\windows\system32\wpdshserviceobj.dll
h:\windows\system32\portabledevicetypes.dll
h:\windows\system32\portabledeviceapi.dll
.
------------------------ Other Running Processes ------------------------
.
h:\program files\Lavasoft\Ad-Aware\aawservice.exe
h:\progra~1\Grisoft\AVG7\avgamsvr.exe
h:\progra~1\Grisoft\AVG7\avgupsvc.exe
h:\progra~1\Grisoft\AVG7\avgemc.exe
h:\windows\ehome\ehrecvr.exe
h:\windows\ehome\ehSched.exe
h:\program files\LogMeIn\x86\ramaint.exe
h:\program files\LogMeIn\x86\LogMeIn.exe
h:\program files\LogMeIn\x86\LMIGuardian.exe
h:\windows\system32\nvsvc32.exe
h:\program files\CyberLink\Shared files\RichVideo.exe
h:\program files\Webroot\Spy Sweeper\SpySweeper.exe
h:\windows\system32\searchindexer.exe
h:\program files\LogMeIn\x86\LMIGuardian.exe
h:\windows\system32\dllhost.exe
h:\windows\system32\rundll32.exe
h:\windows\system32\wscntfy.exe
h:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-02-12 10:06:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-12 18:05:33

Pre-Run: 207,653,576,704 bytes free
Post-Run: 209,730,048,000 bytes free

438 --- E O F --- 2009-02-12 01:55:05

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:45 PM

Posted 12 February 2009 - 02:09 PM

Hi,

I see some system files are patched here (tcpip.sys, explorer.exe and user32.dll, but I dont think malware did that. I think it's because of the XP Ultimate version you're having)

To deal with the malware;....

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
h:\windows\system32\gl30372.dll
h:\program files\KB47614.exe
h:\windows\system32\wti29595.dll
h:\windows\system32\ti29595.dll
h:\program files\KB50638.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{23E8FFB5-C109-3207-8BDF-01CFDAD3700D}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 dsapper

dsapper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 12 February 2009 - 04:35 PM

again thank you for your help so far ;) Anyways I did exactally what you said and just got the log

ComboFix 09-02-12.02 - Abomination 2009-02-12 12:21:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2761 [GMT -8:00]
Running from: h:\users\Abomination\Desktop\ComboFix.exe
Command switches used :: h:\users\Abomination\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
h:\program files\KB47614.exe
h:\program files\KB50638.exe
h:\windows\system32\gl30372.dll
h:\windows\system32\ti29595.dll
h:\windows\system32\wti29595.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

h:\program files\KB47614.exe
h:\program files\KB50638.exe
h:\windows\system32\ti29595.dll
h:\windows\system32\wti29595.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-12 to 2009-02-12 )))))))))))))))))))))))))))))))
.

2019-09-25 14:40 . 2019-09-25 14:40 20,480 --a------ h:\windows\system32\APITypes.dll
2009-02-12 10:40 . 2009-02-12 10:40 <DIR> d-------- h:\users\All Users\Application Data\Malwarebytes
2009-02-12 10:40 . 2009-02-12 10:40 <DIR> d-------- h:\users\Abomination\Application Data\Malwarebytes
2009-02-12 10:40 . 2009-02-12 10:41 <DIR> d-------- h:\program files\Malwarebytes' Anti-Malware
2009-02-12 10:40 . 2009-02-11 10:19 38,496 --a------ h:\windows\system32\drivers\mbamswissarmy.sys
2009-02-12 10:40 . 2009-02-11 10:19 15,504 --a------ h:\windows\system32\drivers\mbam.sys
2009-02-11 18:01 . 2009-02-11 18:01 <DIR> d-------- h:\program files\Trend Micro
2009-02-11 10:06 . 2009-02-11 10:06 <DIR> d-------- h:\users\Abomination\OneNote Notebooks
2009-02-11 10:06 . 2009-02-11 10:06 <DIR> d-------- h:\users\Abomination\OneNote Notebooks
2009-02-11 09:07 . 2009-02-11 09:07 101 --a------ h:\windows\OPHE.ini
2009-02-07 20:30 . 2009-02-07 20:30 <DIR> d-------- h:\users\Abomination\Application Data\TuneUp Software
2009-02-07 20:30 . 2009-02-07 20:31 <DIR> d-------- h:\program files\TuneUp Utilities 2006
2009-02-07 20:30 . 2006-10-05 19:26 24,072 --a------ h:\windows\system32\uxtuneup.dll
2009-02-07 20:29 . 2009-02-07 20:29 <DIR> d-------- h:\users\All Users\Application Data\TuneUp Software
2009-02-07 20:28 . 2009-02-07 20:28 8 -r-hs---- h:\windows\system32\5CA6B4F465.sys
2009-02-07 20:27 . 2009-02-07 20:27 <DIR> d-------- h:\program files\Ashampoo
2009-02-07 20:26 . 2009-02-07 20:26 <DIR> d-------- h:\program files\Common Files\xing shared
2009-02-07 20:25 . 2009-02-07 20:25 <DIR> d-------- h:\program files\Real
2009-02-07 20:25 . 2009-02-07 20:26 <DIR> d-------- h:\program files\Common Files\Real
2009-02-07 20:24 . 2009-02-07 20:25 <DIR> d-------- h:\users\Abomination\PcSetup
2009-02-07 20:24 . 2009-02-07 20:25 <DIR> d-------- h:\users\Abomination\PcSetup
2009-02-07 20:24 . 2009-02-07 20:24 <DIR> d-------- h:\program files\DVDXCopyInternational
2009-02-07 20:24 . 2009-02-07 20:24 39,488 --a------ h:\windows\system32\drivers\Pcouffin.sys
2009-02-07 20:24 . 2001-03-08 18:30 24,064 --------- h:\windows\system32\msxml3a.dll
2009-02-07 20:23 . 2009-02-07 20:23 <DIR> d-------- h:\program files\DAEMON Tools
2009-02-07 20:22 . 2009-02-07 20:23 <DIR> d-------- h:\program files\XP Codec Pack
2009-02-07 20:22 . 2009-02-07 20:24 <DIR> d-------- h:\program files\CyberLink
2009-02-07 20:20 . 2009-02-07 20:20 <DIR> d-------- h:\program files\Common Files\Logitech
2009-02-07 13:22 . 2009-02-11 17:51 1,374 --a------ h:\windows\imsins.BAK
2009-02-06 10:55 . 2009-02-06 11:11 <DIR> d-------- h:\users\Abomination\SimCity 4
2009-02-06 10:55 . 2009-02-06 11:11 <DIR> d-------- h:\users\Abomination\SimCity 4
2009-02-06 10:32 . 2009-02-06 10:32 <DIR> d-------- h:\program files\Electronic Arts
2009-02-06 10:09 . 2009-02-06 10:09 532 --a------ h:\windows\eReg.dat
2009-02-06 10:08 . 2009-02-06 10:08 <DIR> d-------- h:\program files\Maxis
2009-02-06 09:49 . 2009-02-07 20:47 <DIR> d-------- h:\program files\Starcraft
2009-02-06 09:49 . 2009-02-06 09:53 94,208 --a------ h:\windows\ScUnin.exe
2009-02-06 09:49 . 2009-02-06 09:53 31,604 --a------ h:\windows\scunin.dat
2009-02-06 09:49 . 2009-02-06 09:53 967 --a------ h:\windows\ScUnin.pif
2009-02-06 08:05 . 2009-02-06 08:05 <DIR> d-------- h:\users\Abomination\OkiData
2009-02-06 08:05 . 2009-02-06 08:05 <DIR> d-------- h:\users\Abomination\OkiData
2009-02-06 08:04 . 2009-02-06 08:04 34,896 --a------ h:\windows\system32\OPHE_M00.cah
2009-02-06 08:04 . 2009-02-06 08:04 17,484 --a------ h:\windows\system32\OP5100V2.cah
2009-02-05 18:25 . 2009-02-05 18:25 <DIR> d-------- h:\users\All Users\Application Data\2DBoy
2009-02-05 18:24 . 2009-02-05 18:25 <DIR> d-------- h:\program files\WorldOfGoo
2009-02-05 17:26 . 2008-04-17 13:12 107,368 --a------ h:\windows\system32\GEARAspi.dll
2009-02-05 17:26 . 2008-04-17 13:12 15,464 --a------ h:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-05 17:25 . 2009-02-05 17:26 <DIR> d-------- h:\users\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-05 17:25 . 2009-02-05 17:26 <DIR> d-------- h:\program files\iTunes
2009-02-05 17:25 . 2009-02-05 17:25 <DIR> d-------- h:\program files\iPod
2009-02-05 17:23 . 2009-02-05 17:25 <DIR> d-------- h:\users\All Users\Application Data\Apple Computer
2009-02-05 17:23 . 2009-02-05 17:24 <DIR> d-------- h:\program files\QuickTime
2009-02-05 17:21 . 2009-02-05 17:25 <DIR> d-------- h:\program files\Common Files\Apple
2009-02-05 16:34 . 2009-02-05 16:34 <DIR> d-------- h:\users\LocalService\Application Data\Webroot
2009-02-05 16:10 . 2009-02-05 16:16 <DIR> d-------- h:\program files\Enigma Software Group
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\users\All Users\Application Data\Webroot
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\users\Abomination\Application Data\Webroot
2009-02-05 15:18 . 2009-02-05 15:18 <DIR> d-------- h:\program files\Webroot
2009-02-05 15:18 . 2008-08-09 16:04 1,538,928 --a------ h:\windows\WRSetup.dll
2009-02-05 15:06 . 2009-02-05 15:14 <DIR> d-------- h:\users\All Users\Application Data\Lavasoft
2009-02-05 15:06 . 2009-02-05 15:06 <DIR> d-------- h:\program files\Lavasoft
2009-02-05 15:05 . 2009-02-07 20:29 <DIR> d-------- h:\program files\Common Files\Wise Installation Wizard
2009-02-05 14:41 . 2009-02-05 14:41 <DIR> d-------- h:\users\Abomination\Application Data\PC Tools
2009-02-05 14:41 . 2009-02-10 15:56 <DIR> d-------- h:\program files\Spyware Doctor
2009-02-05 14:41 . 2008-08-25 11:36 81,288 --a------ h:\windows\system32\drivers\iksyssec.sys
2009-02-05 14:41 . 2008-08-25 11:36 66,952 --a------ h:\windows\system32\drivers\iksysflt.sys
2009-02-05 14:41 . 2008-08-25 11:36 40,840 --a------ h:\windows\system32\drivers\ikfilesec.sys
2009-02-05 14:41 . 2008-06-02 15:19 29,576 --a------ h:\windows\system32\drivers\kcom.sys
2009-02-05 13:48 . 2009-02-05 16:36 <DIR> d-------- h:\users\Abomination\Application Data\AdobeUM
2009-02-05 13:36 . 2009-02-05 13:36 <DIR> d-------- h:\users\Abomination\Bioshock
2009-02-05 13:36 . 2009-02-05 13:36 <DIR> d-------- h:\users\Abomination\Bioshock
2009-02-05 13:10 . 2009-02-12 10:59 241 --a------ h:\windows\ODBC.INI
2009-02-05 13:09 . 2009-02-05 13:09 <DIR> d-------- h:\program files\Snapshot Viewer
2009-02-05 13:09 . 2009-02-05 13:11 <DIR> d-------- h:\program files\SalezTrack
2009-02-05 13:00 . 2009-02-05 13:00 <DIR> d-------- h:\program files\Citrix
2009-02-05 12:58 . 2009-02-05 12:58 <DIR> d-------- h:\users\Abomination\ERALink32
2009-02-05 12:58 . 2009-02-05 12:58 <DIR> d-------- h:\users\Abomination\ERALink32
2009-02-05 12:58 . 2009-02-05 12:58 60,744 --a------ h:\users\Abomination\g2mdlhlpx.exe
2009-02-05 12:58 . 2009-02-05 12:58 60,744 --a------ h:\users\Abomination\g2mdlhlpx.exe
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\users\All Users\Application Data\Reynolds
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\users\All Users\Application Data\IBM
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\program files\Reynolds
2009-02-05 12:56 . 2009-02-05 12:56 <DIR> d-------- h:\program files\Common Files\Reynolds
2009-02-05 12:55 . 2009-02-05 12:56 110 --a------ h:\windows\{34B85F58-4EA1-40F2-A658-DA3CE5D19820}_WiseFW.ini
2009-02-04 22:49 . 2009-02-04 22:49 <DIR> d-------- h:\users\All Users\Application Data\Fallout3
2009-02-04 22:49 . 2009-02-04 22:49 <DIR> d-------- h:\program files\Bethesda Softworks
2009-02-04 22:19 . 2009-02-04 22:42 <DIR> d-------- h:\program files\Bioshock
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Videos
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Pictures
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Stationery
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Received Files
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Music
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Microsoft Games
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Downloads
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Documents
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Contacts
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\TrueTransparency
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\RKLauncher
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\OtakuSoftware
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\Nero
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> d-a------ h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\LClock
2009-02-04 20:53 . 2008-05-27 17:33 <DIR> d-------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data\ESTsoft
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Videos
2009-02-04 20:53 . 2008-05-27 17:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Templates
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Start Menu
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\SendTo
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Recent
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\PrintHood
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Pictures
2009-02-04 20:53 . 2008-05-27 09:58 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\NetHood
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Stationery
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\My Received Files
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Music
2009-02-04 20:53 . 2008-03-30 16:13 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Microsoft Games
2009-02-04 20:53 . 2009-02-12 13:08 <DIR> d--h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Local Settings
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Favorites
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Downloads
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Documents
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Desktop
2009-02-04 20:53 . 2008-05-27 17:17 <DIR> d--hs---- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Cookies
2009-02-04 20:53 . 2008-05-27 17:45 <DIR> dr-h----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Contacts
2009-02-04 20:53 . 2008-05-27 17:46 <DIR> d-ah----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\Application Data
2009-02-04 20:53 . 2009-02-04 23:00 <DIR> d-------- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD
2009-02-04 20:53 . 2009-02-04 21:14 487,424 --ah----- h:\users\LogMeInRemoteUser.ABOMINAT-BCEBBD\NTUSER.DAT
2009-02-04 20:40 . 2009-02-04 20:40 118,520 --------- h:\windows\system32\pxinsi64.exe
2009-02-04 20:40 . 2009-02-04 20:40 116,472 --------- h:\windows\system32\pxcpyi64.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-12 16:38 --------- d-----w h:\users\All Users\Application Data\avg7
2009-02-12 03:01 --------- d-----w h:\users\Abomination\Application Data\AVG7
2009-02-09 16:26 --------- d-----w h:\users\Abomination\Application Data\uTorrent
2009-02-08 04:22 --------- d--h--w h:\program files\InstallShield Installation Information
2009-02-08 04:22 --------- d-----w h:\program files\Common Files\InstallShield
2009-02-06 01:26 --------- d-----w h:\users\Abomination\Application Data\Apple Computer
2009-02-05 01:43 --------- d-----w h:\program files\Common Files\Adobe
2008-12-20 23:15 826,368 ----a-w h:\windows\system32\wininet.dll
2008-12-08 11:53 57,344 ----a-w h:\windows\system32\ff_vfw.dll
2008-01-22 03:51 121 ---ha-w h:\program files\desktop.ini
2009-02-10 15:51 67,688 ----a-w h:\program files\mozilla firefox\components\jar50.dll
2009-02-10 15:51 54,368 ----a-w h:\program files\mozilla firefox\components\jsd3250.dll
2009-02-10 15:51 34,944 ----a-w h:\program files\mozilla firefox\components\myspell.dll
2009-02-10 15:51 46,712 ----a-w h:\program files\mozilla firefox\components\spellchk.dll
2009-02-10 15:51 172,136 ----a-w h:\program files\mozilla firefox\components\xpinstal.dll
2008-05-28 01:51 16,384 --sha-w h:\windows\system32\config\systemprofile\Cookies\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052720080528\index.dat
2008-05-28 01:51 32,768 --sha-w h:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

2008-04-13 16:12 578560 b26b135ff1b9f60c9388b4a7d16f600b h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\user32.dll
2008-03-27 15:51 578048 b61badb44342a37edf5f91b4af44c879 h:\windows\system32\user32.dll

2008-06-20 03:59 361600 ad978a1b783b5719720cff204b666c8e h:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-04-13 11:20 361344 93ea8d04ec73a85db02eb8805988f733 h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\tcpip.sys
2008-06-20 03:51 361600 9aefa14bd6b182d61e3119fa5f436d3d h:\windows\system32\dllcache\tcpip.sys
2007-10-11 07:44 361088 270684847a8ef5c51fff58457e4dc8c6 h:\windows\system32\drivers\tcpip.sys
2007-10-11 07:44 361088 270684847a8ef5c51fff58457e4dc8c6 h:\windows\system32\syscache\tcpip.sys

2008-03-27 15:50 1424384 22908a9cefebb3eb06088dfa58ada9e6 h:\windows\explorer.exe
2008-04-13 16:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 h:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2007-12-13 21:02 96552 --a------ h:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VisualTaskTips"="h:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"ctfmon.exe"="h:\windows\system32\ctfmon.exe" [2008-03-20 15360]
"Google Update"="h:\users\Abomination\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-12 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="h:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-01-29 590848]
"SigmatelSysTrayApp"="h:\windows\stsystra.exe" [2005-03-22 339968]
"NvCplDaemon"="h:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
"nwiz"="h:\windows\system32\nwiz.exe" [2008-09-17 1657376]
"NvMediaCenter"="h:\windows\system32\NvMcTray.dll" [2008-09-17 86016]
"LogMeIn GUI"="h:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"LanguageShortcut"="h:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 49152]
"TkBellExe"="h:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-02-07 185896]
"QuickTime Task"="h:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"SpySweeper"="h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-08-09 5418864]
"MSConfig"="h:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-03-27 241152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="h:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"UltimateServices"="h:\windows\System32\ultsvcs.exe" [2008-01-31 256777]
"VisualTaskTips"="h:\windows\System32\visualtasktips.exe" [2007-09-05 36352]
"TopDesk"="h:\windows\System32\topdesk.exe" [2007-11-15 1937920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

h:\users\Abomination\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - h:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "h:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,\

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 h:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 20:35 87352 h:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.FFDS"= ffdshow.ax
"VIDC.HFYU"= huffyuv.dll
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 h:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2008-02-22 07:58 217544 h:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
--a------ 2006-09-28 11:21 57344 h:\program files\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 h:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 2007-12-13 21:02 1082152 h:\program files\Nero\Nero8\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 11:36 1168264 h:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 h:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 10:34 5724184 h:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 h:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 h:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"TapiSrv"=3 (0x3)
"ose"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Messenger"=3 (0x3)
"McrdSvc"=2 (0x2)
"LBTServ"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"StarWindServiceAE"=2 (0x2)
"ProtexisLicensing"=2 (0x2)
"odserv"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"FLEXnet Licensing Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"AdobeActiveFileMonitor7.0"=3 (0x3)
"WinDefend"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"RichVideo"=2 (0x2)
"aawservice"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"UltimateServices"="h:\windows\System32\ultsvcs.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"DAEMON Tools"="h:\program files\DAEMON Tools\daemon.exe" -lang 1033
"RemoteControl"="h:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"TkBellExe"="h:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"SpySweeper"="h:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"h:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"h:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"h:\\Program Files\\uTorrent\\uTorrent.exe"=
"h:\\Program Files\\LimeWire\\LimeWire.exe"=
"h:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"h:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Mass Effect\\Binaries\\MassEffect.exe"=
"c:\\Program Files\\Mass Effect\\MassEffectLauncher.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"h:\\Program Files\\Ubisoft\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"h:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
"h:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
"h:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"h:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"h:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"h:\\Program Files\\Reynolds\\ERALink\\wIntegSM.exe"=
"h:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\Program Files\\iTunes\\iTunes.exe"=
"h:\\Program Files\\Starcraft\\StarCraft.exe"=

R0 ssfs0bbc;ssfs0bbc;h:\windows\system32\drivers\ssfs0bbc.sys [2008-08-09 29808]
R2 LMIInfo;LogMeIn Kernel Information Provider;h:\program files\LogMeIn\x86\rainfo.sys [2008-07-24 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;h:\windows\system32\drivers\LMIRfsDriver.sys [2008-06-01 47640]
S3 bcgame;Nostromo HID Device Minidriver;h:\windows\system32\drivers\bcgame.sys --> h:\windows\system32\drivers\bcgame.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;h:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-05 356920]
S4 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;h:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
S4 NeroRegInCDSrv;Nero Registry InCD Service;h:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2007-12-13 50984]
S4 WinDefend;Windows Defender;h:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - h:\users\Abomination\Application Data\Mozilla\Firefox\Profiles\ddkrqurq.default\
FF - component: h:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: h:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-12 13:10:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1547161642-1606980848-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:4c,0d,93,e4,4d,b9,5a,34,61,23,8d,aa,31,cd,72,80,4f,98,dc,0d,dc,20,69,
66,7c,ae,89,97,30,70,af,29,c6,f8,d8,19,8d,28,68,58,90,62,a9,c6,ee,81,dd,36,\
"??"=hex:42,a0,07,3f,7e,7e,fa,03,9e,17,7f,c0,c1,e2,c5,3d

[HKEY_USERS\S-1-5-21-1644491937-1547161642-1606980848-1004\Software\SecuROM\License information*]
"datasecu"=hex:05,c2,10,55,2e,66,a6,5d,e8,ec,4a,bf,8a,29,51,6a,34,7b,07,2c,22,
4c,ce,73,50,e5,11,ee,e0,27,c9,10,56,32,06,c7,94,46,e2,28,52,4d,67,2d,32,8e,\
"rkeysecu"=hex:d6,3a,31,d8,71,67,f1,fd,0a,c3,aa,ad,b1,ec,13,0c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
h:\windows\system32\SETUPAPI.dll
h:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
h:\windows\system32\LMIinit.dll
h:\program files\common files\logishrd\bluetooth\LBTServ.dll
h:\windows\system32\cscui.dll

- - - - - - - > 'lsass.exe'(860)
h:\windows\system32\setupapi.dll
.
Completion time: 2009-02-12 13:33:22
ComboFix-quarantined-files.txt 2009-02-12 21:32:51
ComboFix2.txt 2009-02-12 18:06:49

Pre-Run: 209,667,256,320 bytes free
Post-Run: 209,682,427,904 bytes free

381 --- E O F --- 2009-02-12 01:55:05

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:45 PM

Posted 12 February 2009 - 04:44 PM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 dsapper

dsapper
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 13 February 2009 - 03:13 PM

Actually things seem back to normal now, thanks alot!

If you can explain it in laymans terms, I'd love to hear what was going on

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:45 PM

Posted 13 February 2009 - 05:49 PM

Well, you were dealing with a Search Hijacker. This one is getting installed via P2P software such as Limewire.
So, always be careful what you download. I do not recommend to download anything via P2P because in 80% of the cases it's malware.

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:45 PM

Posted 17 February 2009 - 09:52 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users