Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Links Redirect / Firefox Slowdown


  • This topic is locked This topic is locked
10 replies to this topic

#1 Bourgeosie

Bourgeosie

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 23 June 2009 - 10:10 PM

Hello, I apologize that this topic is relatively similar to the other one, but the redirects seems different (random sites, and multiple redirects per link through various search engines). Every google link is met with the same result (though the sites that I'm redirected through are always different). My Firefox is also running significantly slower than normal, though my internet connection is unaffected (have tried wireless and wired internet connections). I have run Adaware, Malwarebytes, and Spybot (for each run, only the program I was running was installed, there was only ever one anti-virus / anti-malware installed at a time), but none of them have found any malicious items. This is happening with both my stable Firefox release (Firefox v 3.0.11) and the beta 3.5 version of Firefox. Here is the log:


DDS (Ver_09-05-14.01) - NTFSx86
Run by Bourgeosie at 21:59:20.12 on Tue 06/23/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1521 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIGABYTE\G.O.M\GCSVR.EXE
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k podmena
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CML.exe
C:\WINDOWS\system32\RecvMessage.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\GIGABYTE\GBTUpd\RunUpd.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\GIGABYTE\ET6\GUI.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\Documents and Settings\Bourgeosie\My Documents\Downloads\SecurityCheck.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Bourgeosie\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uURLSearchHooks: DeviceVM Url Search Hook: {0063bf63-bfff-4b8f-9d26-4267df7f17dd} - c:\windows\system32\dvmurl.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [GEST] m|\
mRun: [JMB36X IDE Setup] c:\windows\raidtool\xInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\xRaidSetup.exe boot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [tray2] c:\windows\system32\CML.exe
mRun: [tray3] c:\windows\system32\RecvMessage.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [GBTUpd] c:\program files\gigabyte\gbtupd\PreRun.exe
mRun: [EasyTuneVI] c:\program files\gigabyte\et6\ETcall.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bourge~1\applic~1\mozilla\firefox\profiles\y6pulzqb.default\
FF - plugin: c:\program files\mozilla firefox 3.5 beta 4\plugins\npPandoWebInst.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox 3.5 beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox 3.5 beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 podmenadrv;podmenadrv;c:\program files\podmena\podmena.sys [2009-6-9 9472]
R2 COM Service;COM Service;c:\program files\gigabyte\g.o.m\GCSVR.exe [2009-4-13 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\gigabyte\energysaver\GSvr.exe [2009-4-13 80392]
R2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-4 14336]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [2009-4-13 35840]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [2009-4-13 24944]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [2009-4-13 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [2009-4-13 17408]

=============== Created Last 30 ================

2009-06-23 21:40 21,449 a------- c:\windows\system32\jcsball.dat
2009-06-23 21:40 5,971 a------- c:\windows\system32\jcsb.new
2009-06-23 21:40 0 a------- c:\windows\system32\jerror.dat
2009-06-23 21:20 45,088 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 21:20 4,896 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-06-23 21:20 1,604 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-23 21:20 1,532 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-06-23 21:10 <DIR> --d----- c:\program files\common files\ParetoLogic
2009-06-18 18:43 <DIR> --d----- c:\program files\uTorrent
2009-06-18 12:46 <DIR> --d----- C:\Nexon
2009-06-18 11:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-06-18 11:48 <DIR> --d----- c:\program files\Pando Networks
2009-06-17 18:56 14 a------- c:\windows\system32\systeminfo3.dll
2009-06-17 18:56 81,920 a------- c:\docume~1\bourge~1\applic~1\ezpinst.exe
2009-06-17 18:56 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 18:56 47,360 a------- c:\docume~1\bourge~1\applic~1\pcouffin.sys
2009-06-17 18:56 <DIR> --d----- c:\program files\CloneDVD
2009-06-17 18:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DVDXStudio
2009-06-17 18:44 <DIR> --d----- c:\program files\SlySoft
2009-06-17 18:40 4 a------- c:\windows\system32\GVTunner.ref
2009-06-13 15:39 <DIR> --d----- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-06-09 18:54 <DIR> --d----- c:\program files\podmena
2009-06-09 18:54 2 ----h--- c:\windows\ro122458.dat
2009-06-07 17:05 <DIR> --d----- c:\windows\system32\XPSViewer
2009-06-07 17:04 14,048 -------- c:\windows\system32\spmsg2.dll
2009-06-07 16:07 278,984 a------- c:\windows\system32\drivers\atksgt.sys
2009-06-07 16:07 25,416 a------- c:\windows\system32\drivers\lirsgt.sys
2009-06-07 15:56 <DIR> --d----- c:\program files\The Witcher
2009-05-30 13:21 129,520 -------- c:\windows\system32\pxafs.dll
2009-05-30 13:21 44,944 -------- c:\windows\system32\drivers\PxHelp20.sys
2009-05-30 13:21 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-30 13:21 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-28 18:30 <DIR> --d----- c:\program files\Intelore

==================== Find3M ====================

2009-06-23 21:40 16,608 a------- c:\windows\gdrv.sys
2009-06-23 21:40 24,944 a------- c:\windows\system32\drivers\GVTDrv.sys
2009-05-10 11:10 35,382 a------- c:\windows\scunin.dat
2009-05-10 11:10 94,208 a------- c:\windows\ScUnin.exe
2009-05-07 10:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-28 23:46 666,624 a------- c:\windows\system32\wininet.dll
2009-04-28 23:46 81,920 a------- c:\windows\system32\ieencode.dll
2009-04-25 12:02 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-04-25 11:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_xusb21_01007.Wdf
2009-04-25 11:53 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2009-04-17 20:03 410,984 a------- c:\windows\system32\deploytk.dll
2009-04-17 07:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-16 17:04 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-15 09:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-13 20:03 319,488 a------- c:\windows\HideWin.exe
2009-04-13 19:52 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-03-27 08:14 453,152 a------- c:\windows\system32\NVUNINST.EXE

============= FINISH: 21:59:33.78 ===============


Thank you so much in advance for your help!

Attached Files



BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 24 June 2009 - 01:20 PM

Hi Bourgeosie,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)

  • Close any open browsers.

    Open notepad (start > All Programs > Accessories > Notepad) and copy/paste the text in the code box below into it:

    DDS::
    uInternet Settings,ProxyOverride = *.local;<local>
    uInternet Settings,ProxyServer = http=localhost:7171
    TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
    mRun: [Alcmtr] ALCMTR.EXE

    Save this as CFScript.txt, in the same location as ComboFix.exe


    Posted Image

    Referring to the picture above, drag CFScript into ComboFix.exe.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


    When finished, it shall produce a log for you ( "C:\ComboFix.txt"). Please copy and paste the log to your reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

#3 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 24 June 2009 - 05:23 PM

Hello farbar, thank you so much for helping me!
Here is the log:

ComboFix 09-06-23.01 - Bourgeosie 06/24/2009 17:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1629 [GMT -5:00]
Running from: c:\documents and settings\Bourgeosie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bourgeosie\Desktop\CFScript.txt
.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\podmena
c:\program files\podmena\podmena.dll
c:\program files\podmena\podmena.sys
c:\windows\ro122458.dat
c:\windows\system32\gmail.dll
c:\windows\system32\systeminfo3.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PODMENA
-------\Legacy_PODMENADRV
-------\Service_podmena
-------\Service_podmenadrv


((((((((((((((((((((((((( Files Created from 2009-05-24 to 2009-06-24 )))))))))))))))))))))))))))))))
.

2009-06-24 02:20 . 2009-06-24 02:30 4896 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-06-24 02:20 . 2009-06-24 02:30 45088 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-24 02:10 . 2009-06-24 02:26 -------- d-----w- c:\program files\Common Files\ParetoLogic
2009-06-24 02:10 . 2009-06-24 02:10 -------- d-----w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\Downloaded Installations
2009-06-18 23:43 . 2009-06-18 23:43 -------- d-----w- c:\program files\uTorrent
2009-06-18 17:47 . 2009-06-18 17:47 45056 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{0F7B35C3-06E4-423C-A4E6-F24EE2747260}\MapleStory.exe1_4AEB0CCE3E7240D9887BBEC518A5E7A0.exe
2009-06-18 17:47 . 2009-06-18 17:47 45056 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{0F7B35C3-06E4-423C-A4E6-F24EE2747260}\MapleStory.exe_4AEB0CCE3E7240D9887BBEC518A5E7A0.exe
2009-06-18 17:47 . 2009-06-18 17:47 10134 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{0F7B35C3-06E4-423C-A4E6-F24EE2747260}\ARPPRODUCTICON.exe
2009-06-18 17:46 . 2009-06-18 17:46 -------- d-----w- C:\Nexon
2009-06-18 16:49 . 2009-06-19 02:42 -------- d-----w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\PMB Files
2009-06-18 16:49 . 2009-06-18 16:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-06-18 16:48 . 2009-06-18 16:48 -------- d-----w- c:\program files\Pando Networks
2009-06-17 23:56 . 2009-06-18 18:01 10128 ----a-w- c:\documents and settings\All Users\Application Data\DVDXStudio\CloneDVD4\MainApp.dll
2009-06-17 23:56 . 2009-06-17 23:56 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Vso
2009-06-17 23:56 . 2009-06-17 23:56 81920 ----a-w- c:\documents and settings\Bourgeosie\Application Data\ezpinst.exe
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 47360 ----a-w- c:\documents and settings\Bourgeosie\Application Data\pcouffin.sys
2009-06-17 23:56 . 2009-06-17 23:56 -------- d-----w- c:\program files\CloneDVD
2009-06-17 23:56 . 2009-06-17 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\DVDXStudio
2009-06-17 23:45 . 2009-06-17 23:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SlySoft
2009-06-17 23:44 . 2009-06-17 23:49 -------- d-----w- c:\program files\SlySoft
2009-06-15 02:03 . 2009-06-15 02:03 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Winamp
2009-06-15 02:03 . 2009-06-15 02:03 -------- d-----w- c:\program files\Winamp
2009-06-13 20:39 . 2009-06-24 22:11 -------- d-----w- c:\program files\Mozilla Firefox 3.5 Beta 4
2009-06-12 19:52 . 2009-06-12 19:52 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-06-07 22:08 . 2009-06-15 01:46 -------- d-----w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\The Witcher
2009-06-07 22:06 . 2009-06-07 22:06 -------- d-----w- c:\program files\MSBuild
2009-06-07 22:06 . 2009-06-07 22:06 69024 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-06-07 22:05 . 2009-06-07 22:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-07 22:05 . 2009-06-07 22:05 -------- d-----w- c:\program files\Reference Assemblies
2009-06-07 22:04 . 2006-06-29 18:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-06-07 21:07 . 2009-06-07 21:07 278984 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-06-07 21:07 . 2009-06-07 21:07 25416 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-06-07 20:56 . 2009-06-07 21:07 -------- d-----w- c:\program files\The Witcher
2009-05-30 18:21 . 2008-08-20 17:58 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-05-30 18:21 . 2008-08-20 17:58 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-30 18:21 . 2008-08-20 17:58 44944 ------w- c:\windows\system32\drivers\PxHelp20.sys
2009-05-30 18:21 . 2008-08-20 17:58 129520 ------w- c:\windows\system32\pxafs.dll
2009-05-28 23:30 . 2009-05-28 23:30 -------- d-----w- c:\program files\Intelore

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-24 22:19 . 2009-04-14 00:59 16608 ----a-w- c:\windows\gdrv.sys
2009-06-24 22:19 . 2009-04-14 02:01 24944 ----a-w- c:\windows\system32\drivers\GVTDrv.sys
2009-06-24 02:30 . 2009-06-24 02:20 1604 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-24 02:30 . 2009-06-24 02:20 1532 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-06-18 16:43 . 2009-04-20 00:56 1 ----a-w- c:\documents and settings\Bourgeosie\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-07 22:07 . 2009-04-14 01:26 17280 ----a-w- c:\documents and settings\Bourgeosie\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 20:56 . 2009-04-14 01:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-02 21:36 . 2009-04-14 02:04 -------- d-----w- c:\program files\Ricochet Lost Worlds
2009-05-27 03:15 . 2009-04-15 23:47 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\Apple Computer
2009-05-10 21:21 . 2009-05-10 21:21 -------- d-----w- c:\program files\UBISOFT
2009-05-10 16:10 . 2009-05-10 16:07 35382 ----a-w- c:\windows\scunin.dat
2009-05-10 16:10 . 2009-05-10 16:06 -------- d-----w- c:\program files\Starcraft
2009-05-10 16:10 . 2009-05-10 16:07 967 ----a-w- c:\windows\ScUnin.pif
2009-05-10 16:10 . 2009-05-10 16:07 94208 ----a-w- c:\windows\ScUnin.exe
2009-05-10 16:03 . 2009-05-10 15:44 -------- d-----w- c:\program files\Doom 3
2009-05-10 04:31 . 2009-05-10 04:31 -------- d-----w- c:\documents and settings\Bourgeosie\Application Data\dvdcss
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-04 00:12 . 2009-05-03 23:25 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-05-03 23:50 . 2009-05-03 22:03 256 ----a-w- c:\windows\system32\pool.bin
2009-05-03 17:23 . 2009-05-03 17:23 -------- d-----w- c:\program files\EA Games
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w- c:\program files\AGEIA Technologies
2009-05-03 17:22 . 2009-05-03 17:22 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-04-29 04:46 . 2004-08-04 12:00 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 20:37 . 2009-04-28 20:37 -------- d-----w- c:\program files\Real
2009-04-25 17:02 . 2009-04-25 17:02 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-04-18 01:03 . 2009-04-18 01:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-18 01:03 . 2009-04-18 01:03 152576 ----a-w- c:\documents and settings\Bourgeosie\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 22:04 . 2009-04-14 00:54 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 01:32 . 2009-04-14 01:32 0 ----a-w- c:\windows\nsreg.dat
2009-04-14 01:18 . 2009-04-14 01:18 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-04-14 01:16 . 2009-04-14 01:16 10134 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
2009-04-14 01:16 . 2009-04-14 01:16 10134 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{8CC990CD-87C8-475C-AC32-8A7984E2FCFA}\ARPPRODUCTICON.exe
2009-04-14 01:15 . 2009-04-14 01:15 10134 ----a-r- c:\documents and settings\Bourgeosie\Application Data\Microsoft\Installer\{56918C0C-0D87-4CA6-92BF-4975A43AC719}\ARPPRODUCTICON.exe
2009-04-14 01:03 . 2009-04-14 01:03 319488 ----a-w- c:\windows\HideWin.exe
2009-04-14 00:52 . 2009-04-14 00:52 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-04-08 19:29 . 2009-04-08 19:29 56448 ----a-w- c:\windows\system32\drivers\xusb21.sys
2009-04-06 20:32 . 2009-04-14 01:38 38496 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 20:32 . 2009-04-14 01:38 15504 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-04-02 21:29 . 2009-04-02 21:29 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-27 13:14 . 2009-04-14 01:08 453152 ----a-w- c:\windows\system32\NVUNINST.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GEST"="m|\" [X]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"Launch LGDCore"="c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2006-07-23 1126400]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"tray2"="c:\windows\system32\CML.exe" [2005-07-15 20480]
"tray3"="c:\windows\system32\RecvMessage.exe" [2007-01-10 196608]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-17 81920]
"GBTUpd"="c:\program files\GIGABYTE\GBTUpd\PreRun.exe" [2008-04-03 297480]
"EasyTuneVI"="c:\program files\GIGABYTE\ET6\ETcall.exe" [2007-07-26 20480]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-18 148888]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-10-10 36352]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-07-23 16804864]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SoundMan.exe [2008-06-18 77824]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\alcwzrd.exe [2008-06-19 2808832]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-4-13 692224]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\RecvMessage.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\RunUpd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\GIGABYTE\\GBTUpd\\GBTUpd.exe"=
"c:\\Program Files\\EA Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\UBISOFT\\Ghost Recon Advanced Warfighter 2\\graw2.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8085:TCP"= 8085:TCP:podmena
"57096:TCP"= 57096:TCP:Pando Media Booster
"57096:UDP"= 57096:UDP:Pando Media Booster

R2 COM Service;COM Service;c:\program files\GIGABYTE\G.O.M\GCSVR.exe [4/13/2009 8:55 PM 16384]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [4/13/2009 8:00 PM 80392]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [4/13/2009 8:59 PM 35840]
R3 GVTDrv;GVTDrv;c:\windows\system32\drivers\GVTDrv.sys [4/13/2009 9:01 PM 24944]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [4/13/2009 8:59 PM 28416]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [4/13/2009 8:59 PM 17408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2009-06-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Launch LCDMon - c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox 3.5 Beta 4\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-24 17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\GVTunner.ref 4 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4040)
c:\program files\Logitech\SetPoint\GameHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\snmp.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
c:\program files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
c:\windows\system32\rundll32.exe
c:\program files\GIGABYTE\GBTUpd\RunUpd.exe
c:\program files\GIGABYTE\ET6\GUI.exe
c:\program files\Common Files\Logitech\KhalShared\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-06-24 17:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-24 22:20

Pre-Run: 537,143,443,456 bytes free
Post-Run: 537,141,792,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

275 --- E O F --- 2009-06-10 23:36

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 25 June 2009 - 01:17 AM

  • To close an open port added by the malware to the firewall settings go to start > Run copy and paste the following line and click OK:

    cmd /c reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List" /v 8085:TCP /f


    A window flashes it is normal.

  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Please tell me if still the redirection occurs, if yes does it occur both with Internet Explorer and Firefox.?


#5 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 25 June 2009 - 05:43 PM

Here is the Malwarebytes log:

Malwarebytes' Anti-Malware 1.38
Database version: 2335
Windows 5.1.2600 Service Pack 3

6/25/2009 5:39:53 PM
mbam-log-2009-06-25 (17-39-53).txt

Scan type: Quick Scan
Objects scanned: 79993
Time elapsed: 1 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\it123.it123mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\it123.it123mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\790151 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
(No malicious items detected)



The redirection no longer occurs in the stable Firefox v 3.0.11, the beta Firefox, or the latest Internet Explorer. It also seems that the speed on each browser is back to normal. Thank you so much for the help! Are any further checks needed to make sure?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 26 June 2009 - 04:22 AM

Good news.

You are missing one important program on that computer: An antivirus.
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can. If you don't have a paid antivirus I recommend this good free antivirus:

Avira
  • Download the installer from softpedia.com link as it has a secure download mirror. Install and update it.
  • In the left pane click Status. In the right pane click Scan system now.
  • After the scan finished let it remove what it finds and then Click Report.
  • You can get the last report also by clicking on Reports on the left pane.
  • In the right window under Action double-click on the last Scan listed (you see also the corresponding Dat/Time).
  • A window opens, click on Report file.
  • Copy and paste the content of the report to your reply.


#7 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 26 June 2009 - 08:06 PM

Thanks for the link! Here is the log:



Avira AntiVir Personal
Report file date: Friday, June 26, 2009 19:33

Scanning for 1429418 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 3) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : DAVID

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 5/11/2009 15:14:47
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 21:50:01
ANTIVIR2.VDF : 7.1.4.133 2048 Bytes 6/24/2009 21:50:02
ANTIVIR3.VDF : 7.1.4.144 82944 Bytes 6/26/2009 21:50:05
Engineversion : 8.2.0.199
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 17:52:04
AESCRIPT.DLL : 8.1.2.10 418171 Bytes 6/26/2009 21:50:39
AESCN.DLL : 8.1.2.3 127347 Bytes 5/14/2009 17:02:01
AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 00:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 22:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/26/2009 21:50:35
AEHEUR.DLL : 8.1.0.137 1823095 Bytes 6/26/2009 21:50:34
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/26/2009 21:50:15
AEGEN.DLL : 8.1.1.46 348533 Bytes 6/26/2009 21:50:12
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 22:07:20
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, June 26, 2009 19:33

Starting search for hidden objects.
'44439' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '1' Module(s) have been scanned
Scan process 'WMP54GSv1_1.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'WLService.exe' - '1' Module(s) have been scanned
Scan process 'snmp.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'GSvr.exe' - '1' Module(s) have been scanned
Scan process 'GCSVR.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'GUI.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'RunUpd.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'RecvMessage.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'LGDCore.exe' - '1' Module(s) have been scanned
Scan process 'SoundMan.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '65' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Qoobox\Quarantine\C\Program Files\podmena\podmena.dll.vir
[DETECTION] Is the TR/Agent.clsj Trojan
C:\Qoobox\Quarantine\C\Program Files\podmena\podmena.sys.vir
[DETECTION] Is the TR/Agent.clsj.B Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP50\A0014761.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP72\A0018454.exe
[DETECTION] Is the TR/Proxy.16384.A Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP76\A0018891.exe
[DETECTION] Contains recognition pattern of the WORM/Rbot.232448.4 worm
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0019506.rbf
[DETECTION] Is the TR/FraudPack.oyq Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0020620.dll
[DETECTION] Is the TR/Agent.clsj Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0020621.sys
[DETECTION] Is the TR/Agent.clsj.B Trojan
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP87\A0020788.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Doebyt.A back-door program
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!

Beginning disinfection:
C:\Qoobox\Quarantine\C\Program Files\podmena\podmena.dll.vir
[DETECTION] Is the TR/Agent.clsj Trojan
[NOTE] The file was moved to '4aa97101.qua'!
C:\Qoobox\Quarantine\C\Program Files\podmena\podmena.sys.vir
[DETECTION] Is the TR/Agent.clsj.B Trojan
[NOTE] The file was moved to '491cf7d2.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP50\A0014761.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4a7570c2.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP72\A0018454.exe
[DETECTION] Is the TR/Proxy.16384.A Trojan
[NOTE] The file was moved to '49c60783.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP76\A0018891.exe
[DETECTION] Contains recognition pattern of the WORM/Rbot.232448.4 worm
[NOTE] The file was moved to '4a7570c3.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0019506.rbf
[DETECTION] Is the TR/FraudPack.oyq Trojan
[NOTE] The file was moved to '49c3fe5c.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0020620.dll
[DETECTION] Is the TR/Agent.clsj Trojan
[NOTE] The file was moved to '4a7570c4.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP85\A0020621.sys
[DETECTION] Is the TR/Agent.clsj.B Trojan
[NOTE] The file was moved to '4f1f471d.qua'!
C:\System Volume Information\_restore{28693E1F-1B42-4941-B4AD-09922D20F9BB}\RP87\A0020788.exe
[DETECTION] Contains a recognition pattern of the (harmful) BDS/Doebyt.A back-door program
[NOTE] The file was moved to '4f1e4f65.qua'!


End of the scan: Friday, June 26, 2009 20:06
Used time: 32:45 Minute(s)

The scan has been done completely.

6295 Scanned directories
506542 Files were scanned
9 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
9 Files were moved to quarantine
0 Files were renamed
2 Files cannot be scanned
506531 Files not concerned
3754 Archives were scanned
2 Warnings
10 Notes
44439 Objects were scanned with rootkit scan
0 Hidden objects were found

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 27 June 2009 - 04:00 AM

Great. Avira found nothing but the malware already removed by ComboFix and in System Volume Information where the restore points are saved. We always empty that folder anyway when we uninstall ComboFix.
  • This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.
  • Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "Java SE Runtime Environment (JRE)" JRE 6 Update 14.
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
    -- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
    -- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
    -- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


    Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

  • Tell me how is the computer running.


#9 Bourgeosie

Bourgeosie
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:33 AM

Posted 27 June 2009 - 10:39 PM

Everything installed and ran just fine!
The computer is running just as quickly as the day I built it :thumbup2:
Thank you so much for all of the help! Are there any finishing touches remaining?

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 28 June 2009 - 05:52 AM

You are very welcome. :thumbup2:

Everything looks good.
  • Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /u

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  • In case you use IE I recommend updating at least to Internet explorer 7 as it has more functionality and is much safer.

  • I recommend using Site Advisor for safe surfing. It is a free extension both for Internet Explorer and Firefox. When you search a site it gives you an indication of how safe a site is.
Happy Surfing!

#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:33 AM

Posted 03 July 2009 - 11:17 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users