Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Restore & SafeMode gone, Nothing finds this ....?


  • This topic is locked This topic is locked
23 replies to this topic

#1 bfann

bfann

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 30 June 2009 - 12:02 AM

I try to keep everything updated,use AV, FW, use a limited acct when possible, and the minute I forget and go online under an admin acct...BAM! I've tried Kaspersky, AVG, Avast, EAV, S & D, and (careful not to have conflicts, using the firewalls separately, of course) Outpost, PCToolsFW, Zone Alarm, Filseclab--I feel like the Windows FW is saying, "Hello! Come on in!" when I use it,,lol, so I've tried paying for PC-cillin Suite, Nortons, to no avail. NOT ONE resisted this same thing happening.
I've re-formatted at least 6 times and the MFG did once, replaced my HD, reimaged, this time it took less than 4 months for this to happen again.

Is it possible to have a bios virus or tag that alerts someone or something online to attack me?

I'm running HP xp Media Ctr, laptop, wireless, DSL, and past that i don't know what else to say. I try to be diligent and scan everything I download (knowingly) and run scans regularly, also online. A few "trojan-gen" were found with Avast, a few cookies, and ONE of these progs found something that had to do with Win32restore (I've forgotten which)
If I rearrange icons on desktop, for example, on a reboot they are back to the previous arrangement. (hidden restore?)

*I* however, cannot restore. BUT! I NOW can do a safe boot thanks to SuperAntispyware!
I have AVG resident ANti-spyware (I ran in Safemode, nothing found; I run SuperAntiSpyware independently and offline.

I really need help before I slam this computer against the wall...
(not really,,,I can't afford another one...)

THANKS for any help!

Here's the first DDS file:

____________________________________________________________________

DDS (Ver_09-06-26.01) - NTFSx86
Run by BrightFuture at 0:05:21.43 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1289 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\BrightFuture\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
TB: {AD55C869-668E-457C-B270-0CFB2F61116F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233952827921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233953831906
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bright~1\applic~1\mozilla\firefox\profiles\lwwyzzc3.default\
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-21 28544]
R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [2009-5-27 23552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-29 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-29 108552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-6-29 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-5-30 95592]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-6-29 1195008]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-29 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-29 298776]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-6-29 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-6-29 257432]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-20 114024]
S3 cpuz128;cpuz128;\??\c:\docume~1\user\locals~1\temp\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz_x32.sys [?]
S3 KernlProD;KernlProD;\??\c:\windows\system32\ntkrlmon.sys --> c:\windows\system32\ntkrlmon.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 getPlus® Helper;getPlus® Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2009-06-29 23:36 <DIR> --d----- c:\docume~1\bright~1\applic~1\AVGTOOLBAR
2009-06-29 21:21 <DIR> --d----- c:\program files\Free Internet Window Washer
2009-06-29 20:30 704,384 a------- c:\windows\system32\drivers\SandBox.sys
2009-06-29 20:30 257,432 a------- c:\windows\system32\drivers\afwcore.sys
2009-06-29 20:29 49 a------- c:\windows\transp.gif
2009-06-29 20:29 31,128 a------- c:\windows\system32\drivers\afw.sys
2009-06-29 20:29 <DIR> --d----- c:\program files\Agnitum
2009-06-29 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-29 20:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-29 20:09 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 20:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-29 20:09 <DIR> --d----- c:\program files\AVG
2009-06-29 20:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-29 19:38 <DIR> --d----- c:\program files\RadarSync
2009-06-29 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-06-29 19:29 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-29 17:27 <DIR> --d----- c:\program files\EASEUS
2009-06-29 16:19 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-29 16:19 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-29 16:19 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-29 13:16 <DIR> --d----- c:\program files\EAV Antivirus Suite
2009-06-28 23:04 <DIR> --d----- c:\docume~1\bright~1\applic~1\PCToolsFirewallPlus
2009-06-28 18:47 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-06-24 16:54 <DIR> --d----- c:\program files\WebSite X5 Smart
2009-06-24 16:54 29,696 a------- c:\windows\system32\VB5STKIT.DLL
2009-06-24 16:54 185,344 a------- c:\windows\system32\iwpsetup.exe
2009-06-23 17:15 <DIR> --d----- c:\docume~1\bright~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-23 17:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-23 16:55 <DIR> --d----- c:\program files\Sophos
2009-06-23 11:16 3,715,104 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 11:16 44,612 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-22 21:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 21:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 21:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 00:48 475,136 a------- c:\windows\system32\NCTAudioVisualizationEx2.dll
2009-06-22 00:48 417,792 a------- c:\windows\system32\NCTTextToAudio2.dll
2009-06-22 00:48 <DIR> --d----- c:\program files\Audio Recorder Titanium
2009-06-21 02:09 <DIR> --d----- c:\docume~1\bright~1\applic~1\Malwarebytes
2009-06-20 18:06 <DIR> --d----- c:\program files\3D Image Commander
2009-06-20 17:58 <DIR> --d----- c:\docume~1\bright~1\applic~1\WinPatrol
2009-06-20 14:38 <DIR> --d----- c:\docume~1\bright~1\applic~1\BitDefender
2009-06-20 12:28 <DIR> --d----- c:\program files\BillP Studios
2009-06-20 00:32 114,024 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-06-20 00:32 <DIR> --d----- c:\program files\KeyScrambler
2009-06-19 23:40 <DIR> --d----- c:\windows\system32\Adobe
2009-06-19 21:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-19 19:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-19 18:54 <DIR> --d----- c:\program files\Trend Micro
2009-06-19 17:40 555 a------- c:\windows\system32\BDUpdateV1.xml
2009-06-19 15:37 4,100,775 a------- c:\windows\pfirewall.log.old
2009-06-19 15:32 81,984 a------- c:\windows\system32\bdod.bin
2009-06-19 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-06-19 14:48 <DIR> --d----- c:\program files\common files\BitDefender
2009-06-15 23:27 <DIR> --d----- c:\program files\Conduit
2009-06-15 23:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-14 06:33 <DIR> --d----- c:\program files\Extra Screen Capture Pro
2009-06-12 18:50 406 a------- c:\windows\system32\ioloBootDefrag.cfg
2009-06-12 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2009-06-12 11:07 <DIR> --d----- c:\program files\filehippo.com
2009-06-04 01:45 2,084,864 a------- c:\windows\system32\NCTAudioDesign2.dll
2009-06-04 01:45 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-04 01:45 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-04 01:45 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-04 01:45 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-04 01:45 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-04 01:45 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-04 01:45 417,792 a------- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-04 01:45 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-04 01:45 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-04 01:45 <DIR> --d----- c:\program files\Mp3 Music Editor
2009-06-03 23:55 3,455 a------- c:\windows\RECVCALL.INI
2009-06-03 17:55 498 a------- c:\windows\system32\Compress.res
2009-06-03 17:55 230 a------- c:\windows\reimage.ini
2009-06-03 17:55 <DIR> --d----- C:\ReimageTmp
2009-06-03 17:54 <DIR> --d----- c:\program files\Reimage
2009-05-31 10:11 <DIR> --d----- c:\docume~1\bright~1\applic~1\SumatraPDF

==================== Find3M ====================

2009-06-19 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 00:10 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-27 18:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-27 10:28 23,552 a------- c:\windows\system32\drivers\phooks.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-19 09:05 1,380,403 a------- c:\windows\system32\avgsdk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-24 19:26 710 a------- c:\docume~1\bright~1\applic~1\wklnhst.dat
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 0:05:50.09 ===============



I also have HJT, MalwareBytes, and S&D reports. I haven't done the Kasp. yet.


Attached File  Attach.txt   9.88KB   13 downloads

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,772 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:02 AM

Posted 03 July 2009 - 08:03 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards _temp_

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 03 July 2009 - 10:45 PM

Hello, temp ~~

Thanks so much for your reply.

Here are the text files saved after running DDS.scr and DDS.pif.



DDS(scr) file:
(begin)




DDS (Ver_09-06-26.01) - NTFSx86
Run by BrightFuture at 23:17:54.62 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1428 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\BrightFuture\Desktop\DOWNLOADS\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearchAssistant =
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
TB: {AD55C869-668E-457C-B270-0CFB2F61116F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233952827921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233953831906
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bright~1\applic~1\mozilla\firefox\profiles\lwwyzzc3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\brightfuture\application data\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-21 28544]
R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [2009-5-27 23552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-29 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-29 108552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-6-29 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-5-30 95592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-29 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-29 298776]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-6-29 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-6-29 257432]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-20 114024]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-6-29 1195008]
S3 cpuz128;cpuz128;\??\c:\docume~1\user\locals~1\temp\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz_x32.sys [?]
S3 KernlProD;KernlProD;\??\c:\windows\system32\ntkrlmon.sys --> c:\windows\system32\ntkrlmon.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 getPlusŪ Helper;getPlusŪ Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2009-07-03 12:51 <DIR> --d----- C:\PDFZilla
2009-07-03 09:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-01 15:48 <DIR> --d----- c:\docume~1\bright~1\applic~1\.clamwin
2009-07-01 15:47 <DIR> --d----- c:\program files\ClamWin
2009-07-01 15:47 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-06-29 23:36 <DIR> --d----- c:\docume~1\bright~1\applic~1\AVGTOOLBAR
2009-06-29 21:21 <DIR> --d----- c:\program files\Free Internet Window Washer
2009-06-29 20:30 704,384 a------- c:\windows\system32\drivers\SandBox.sys
2009-06-29 20:30 257,432 a------- c:\windows\system32\drivers\afwcore.sys
2009-06-29 20:29 49 a------- c:\windows\transp.gif
2009-06-29 20:29 31,128 a------- c:\windows\system32\drivers\afw.sys
2009-06-29 20:29 <DIR> --d----- c:\program files\Agnitum
2009-06-29 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll.old
2009-06-29 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-29 20:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-29 20:09 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 20:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-29 20:09 <DIR> --d----- c:\program files\AVG
2009-06-29 20:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-29 19:38 <DIR> --d----- c:\program files\RadarSync
2009-06-29 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-06-29 19:29 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-29 17:27 <DIR> --d----- c:\program files\EASEUS
2009-06-29 16:19 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-29 16:19 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-29 16:19 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-29 13:16 <DIR> --d----- c:\program files\EAV Antivirus Suite
2009-06-28 23:04 <DIR> --d----- c:\docume~1\bright~1\applic~1\PCToolsFirewallPlus
2009-06-28 18:47 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-06-24 16:54 <DIR> --d----- c:\program files\WebSite X5 Smart
2009-06-24 16:54 29,696 a------- c:\windows\system32\VB5STKIT.DLL
2009-06-24 16:54 185,344 a------- c:\windows\system32\iwpsetup.exe
2009-06-23 17:15 <DIR> --d----- c:\docume~1\bright~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-23 17:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-23 16:55 <DIR> --d----- c:\program files\Sophos
2009-06-23 11:16 3,715,104 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 11:16 44,612 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-22 21:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 21:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 21:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 00:48 475,136 a------- c:\windows\system32\NCTAudioVisualizationEx2.dll
2009-06-22 00:48 417,792 a------- c:\windows\system32\NCTTextToAudio2.dll
2009-06-22 00:48 <DIR> --d----- c:\program files\Audio Recorder Titanium
2009-06-21 02:09 <DIR> --d----- c:\docume~1\bright~1\applic~1\Malwarebytes
2009-06-20 18:06 <DIR> --d----- c:\program files\3D Image Commander
2009-06-20 17:58 <DIR> --d----- c:\docume~1\bright~1\applic~1\WinPatrol
2009-06-20 14:38 <DIR> --d----- c:\docume~1\bright~1\applic~1\BitDefender
2009-06-20 12:28 <DIR> --d----- c:\program files\BillP Studios
2009-06-20 00:32 114,024 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-06-20 00:32 <DIR> --d----- c:\program files\KeyScrambler
2009-06-19 23:40 <DIR> --d----- c:\windows\system32\Adobe
2009-06-19 21:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-19 19:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-19 18:54 <DIR> --d----- c:\program files\Trend Micro
2009-06-19 17:40 555 a------- c:\windows\system32\BDUpdateV1.xml
2009-06-19 15:37 4,100,775 a------- c:\windows\pfirewall.log.old
2009-06-19 15:32 81,984 a------- c:\windows\system32\bdod.bin
2009-06-19 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-06-19 14:48 <DIR> --d----- c:\program files\common files\BitDefender
2009-06-15 23:27 <DIR> --d----- c:\program files\Conduit
2009-06-15 23:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-14 06:33 <DIR> --d----- c:\program files\Extra Screen Capture Pro
2009-06-12 18:50 406 a------- c:\windows\system32\ioloBootDefrag.cfg
2009-06-12 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2009-06-12 11:07 <DIR> --d----- c:\program files\filehippo.com
2009-06-04 01:45 2,084,864 a------- c:\windows\system32\NCTAudioDesign2.dll
2009-06-04 01:45 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-04 01:45 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-04 01:45 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-04 01:45 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-04 01:45 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-04 01:45 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-04 01:45 417,792 a------- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-04 01:45 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-04 01:45 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-04 01:45 <DIR> --d----- c:\program files\Mp3 Music Editor
2009-06-03 23:55 3,455 a------- c:\windows\RECVCALL.INI

==================== Find3M ====================

2009-06-19 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 00:10 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-27 18:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-27 10:28 23,552 a------- c:\windows\system32\drivers\phooks.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-19 09:05 1,380,403 a------- c:\windows\system32\avgsdk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-24 19:26 710 a------- c:\docume~1\bright~1\applic~1\wklnhst.dat
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 23:18:20.71 ===============

The DDS PIF file:


DDS (Ver_09-06-26.01) - NTFSx86
Run by BrightFuture at 23:16:44.65 on Fri 07/03/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1318 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *disabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\BrightFuture\Desktop\DOWNLOADS\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.att.net/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
mSearchAssistant =
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: RadarSync Toolbar: {399d96ca-6f9a-4fff-95fe-284e45ebb935} - c:\program files\radarsync\tbRada.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
TB: {3041D03E-FD4B-44E0-B742-2D9B88305F98} - No File
TB: {AD55C869-668E-457C-B270-0CFB2F61116F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [OutpostMonitor] c:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "c:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
dPolicies-explorer: NoSMMyDocs = 1 (0x1)
dPolicies-explorer: NoRecentDocsNetHood = 1 (0x1)
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {53F6FCCD-9E22-4d71-86EA-6E43136192AB}
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {925DAB62-F9AC-4221-806A-057BFB1014AA}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {49232000-16E4-426C-A231-62846947304B} - hxxps://wimpro.cce.hp.com/ChatEntry/downloads/sysinfo.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233952827921
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1233953831906
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bright~1\applic~1\mozilla\firefox\profiles\lwwyzzc3.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\documents and settings\brightfuture\application data\mozilla\firefox\profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\brightfuture\application data\mozilla\plugins\npcoolirisplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-4-21 28544]
R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [2009-5-27 23552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-29 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-29 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-29 108552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [2009-6-29 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [2009-5-30 95592]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-29 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-29 298776]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [2009-6-29 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [2009-6-29 257432]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2009-6-20 114024]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\agnitum\outpos~1\acs.exe [2009-6-29 1195008]
S3 cpuz128;cpuz128;\??\c:\docume~1\user\locals~1\temp\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz_x32.sys [?]
S3 KernlProD;KernlProD;\??\c:\windows\system32\ntkrlmon.sys --> c:\windows\system32\ntkrlmon.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 7808]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
S4 getPlusŪ Helper;getPlusŪ Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-5-26 33176]
S4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2009-07-03 12:51 <DIR> --d----- C:\PDFZilla
2009-07-03 09:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-01 15:48 <DIR> --d----- c:\docume~1\bright~1\applic~1\.clamwin
2009-07-01 15:47 <DIR> --d----- c:\program files\ClamWin
2009-07-01 15:47 <DIR> --d----- c:\documents and settings\all users\.clamwin
2009-06-29 23:36 <DIR> --d----- c:\docume~1\bright~1\applic~1\AVGTOOLBAR
2009-06-29 21:21 <DIR> --d----- c:\program files\Free Internet Window Washer
2009-06-29 20:30 704,384 a------- c:\windows\system32\drivers\SandBox.sys
2009-06-29 20:30 257,432 a------- c:\windows\system32\drivers\afwcore.sys
2009-06-29 20:29 49 a------- c:\windows\transp.gif
2009-06-29 20:29 31,128 a------- c:\windows\system32\drivers\afw.sys
2009-06-29 20:29 <DIR> --d----- c:\program files\Agnitum
2009-06-29 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll.old
2009-06-29 20:09 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-29 20:09 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-29 20:09 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-29 20:09 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-06-29 20:09 <DIR> --d----- c:\program files\AVG
2009-06-29 20:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-29 19:38 <DIR> --d----- c:\program files\RadarSync
2009-06-29 19:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Agnitum
2009-06-29 19:29 <DIR> --d----- c:\program files\common files\PC Tools
2009-06-29 17:27 <DIR> --d----- c:\program files\EASEUS
2009-06-29 16:19 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-29 16:19 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-29 16:19 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-29 16:19 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-29 13:16 <DIR> --d----- c:\program files\EAV Antivirus Suite
2009-06-28 23:04 <DIR> --d----- c:\docume~1\bright~1\applic~1\PCToolsFirewallPlus
2009-06-28 18:47 <DIR> --d----- c:\program files\common files\TiVo Shared
2009-06-24 16:54 <DIR> --d----- c:\program files\WebSite X5 Smart
2009-06-24 16:54 29,696 a------- c:\windows\system32\VB5STKIT.DLL
2009-06-24 16:54 185,344 a------- c:\windows\system32\iwpsetup.exe
2009-06-23 17:15 <DIR> --d----- c:\docume~1\bright~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-06-23 17:12 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-06-23 17:11 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-06-23 16:55 <DIR> --d----- c:\program files\Sophos
2009-06-23 11:16 3,715,104 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-23 11:16 44,612 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-22 21:32 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-22 21:32 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 21:32 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-22 00:48 475,136 a------- c:\windows\system32\NCTAudioVisualizationEx2.dll
2009-06-22 00:48 417,792 a------- c:\windows\system32\NCTTextToAudio2.dll
2009-06-22 00:48 <DIR> --d----- c:\program files\Audio Recorder Titanium
2009-06-21 02:09 <DIR> --d----- c:\docume~1\bright~1\applic~1\Malwarebytes
2009-06-20 18:06 <DIR> --d----- c:\program files\3D Image Commander
2009-06-20 17:58 <DIR> --d----- c:\docume~1\bright~1\applic~1\WinPatrol
2009-06-20 14:38 <DIR> --d----- c:\docume~1\bright~1\applic~1\BitDefender
2009-06-20 12:28 <DIR> --d----- c:\program files\BillP Studios
2009-06-20 00:32 114,024 a------- c:\windows\system32\drivers\keyscrambler.sys
2009-06-20 00:32 <DIR> --d----- c:\program files\KeyScrambler
2009-06-19 23:40 <DIR> --d----- c:\windows\system32\Adobe
2009-06-19 21:51 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-06-19 19:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-19 18:54 <DIR> --d----- c:\program files\Trend Micro
2009-06-19 17:40 555 a------- c:\windows\system32\BDUpdateV1.xml
2009-06-19 15:37 4,100,775 a------- c:\windows\pfirewall.log.old
2009-06-19 15:32 81,984 a------- c:\windows\system32\bdod.bin
2009-06-19 15:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-06-19 14:48 <DIR> --d----- c:\program files\common files\BitDefender
2009-06-15 23:27 <DIR> --d----- c:\program files\Conduit
2009-06-15 23:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus
2009-06-14 06:33 <DIR> --d----- c:\program files\Extra Screen Capture Pro
2009-06-12 18:50 406 a------- c:\windows\system32\ioloBootDefrag.cfg
2009-06-12 18:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2009-06-12 11:07 <DIR> --d----- c:\program files\filehippo.com
2009-06-04 01:45 2,084,864 a------- c:\windows\system32\NCTAudioDesign2.dll
2009-06-04 01:45 1,986,560 a------- c:\windows\system32\NCTAudioFile2.dll
2009-06-04 01:45 1,212,416 a------- c:\windows\system32\NCTAudioInformation2.dll
2009-06-04 01:45 880,640 a------- c:\windows\system32\NCTAudioEditor2.dll
2009-06-04 01:45 835,584 a------- c:\windows\system32\NCTAudioCDGrabber2.dll
2009-06-04 01:45 602,112 a------- c:\windows\system32\NCTAudioTransform2.dll
2009-06-04 01:45 479,232 a------- c:\windows\system32\NCTAudioVisualization2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioRecord2.dll
2009-06-04 01:45 458,752 a------- c:\windows\system32\NCTAudioPlayer2.dll
2009-06-04 01:45 417,792 a------- c:\windows\system32\NCTAudioDisplay2.dll
2009-06-04 01:45 348,160 a------- c:\windows\system32\NCTWMAFile2.dll
2009-06-04 01:45 113,486 a------- c:\windows\system32\NCTWMAProfiles.prx
2009-06-04 01:45 <DIR> --d----- c:\program files\Mp3 Music Editor
2009-06-03 23:55 3,455 a------- c:\windows\RECVCALL.INI

==================== Find3M ====================

2009-06-19 23:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 00:10 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-05-27 18:15 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-05-27 10:28 23,552 a------- c:\windows\system32\drivers\phooks.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-19 09:05 1,380,403 a------- c:\windows\system32\avgsdk.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-24 19:26 710 a------- c:\docume~1\bright~1\applic~1\wklnhst.dat
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll

============= FINISH: 23:17:10.76 ===============


As I said, I rarely log on under the admin acct, but rather use the limited acct "Bright Future"
This computer was imaged in Feb 09 by HP, and the named me "user" for my admin acct (not the system admin acct)
The names of the sys admin acct and my admin acct I changed to make them harder to find if I was hacked.

By the way, I noticed that this scan says "superAntivirus" was running, yet it does NOT show up as running process on my task manager or in Win PAtrol.
I killed this startup after install with WinPatrol ...I thought. I don't know why it was set to run on start up...I thought I disabled that function when I installed that, to avoid conflict with AVG....dunno....

Thank you again for any help you can give me.

Bfann

Attached Files


Edited by bfann, 03 July 2009 - 11:01 PM.


#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 06 July 2009 - 01:03 PM

Hi bfann,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.
  • You needed to download DDS from one of the links not both of them. As a result you have posted DDS log twice, and have attached two empty zipped files. No need to post any log now. You may remove one of the DDS files you have downloaded.

  • I have read your description of the issue, except the word BAM and indirect reference to hacking or attaching your computer I couldn't spot what is the issue. Could you describe the issue please. If you believe you are hacked of attached please describe how do you notice it, what makes you believe you are hacked or attached.


#5 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 06 July 2009 - 03:05 PM

Hi farbar,

thanks for your reply...and lol about how I screwed up. I'm feeling duhher every minute ...
well it was after midnight...

I had 6 or 7 log files I had copied from Win32 that were totally bizarre and might have conveyed the problem. I had them on my desktop and the entire file labeled "odd security log files" just disappeared.
I can't possibly remember what or where they were, since everything is gone.

What USED to happen (until I started disabling them under services) was that
1. the workstation and server listings in "Services" would simply disappear, never to be found again.

2. Then "restore" would stop working.

3. then safe mode would be unreachable. I can try to go into safe mode rebooting, clicking F8 but after the first few clicks it starts this really annoying
beep like ...that's enough! lol...and it will not go into safe mode anymore.

4. Search function would not work properly.
.it starts returning message " no files found" or (something like) "file inaccessible..must be on another server or computer" but I can go in and find the file myself.

5. Then other things start appearing and disappearing on the desktop: shortcuts, text files, etc.

6. Sometime along the way the language bar (previously removed /disabled) appeared out of nowhere lower right screen with the additional option of "chinese" allowed.

7. The system admin password was changed and the boot set to the recovery partition only and couldn't be changed.
. I managed to get back in and wipe that out SOMEHOW, I don't know how...I was just frustrated enough to start digging around in the guts and yanking out strange looking files, temp files stored in random places, and when I rebooted voila! I could access the admin account again.

I know. I was lucky.

8. Microsoft updates stop functioning. I get "cannot update." It's set to update auto but it hasn't updated in a month, I think. If I try under the admin account it fails and I can't tell heads or tails of why.

9. I really thought things since the last reformat and tightening up the security via Balarc recommendations had licked it, and then I noticed that when I arranged the desktop and shut down, the next time I booted up the desktop would be in the same disarray as BEFORE I rearranged it, with files here and there as they had looked BEFORE tidying it up. As if it was "restored" to the state it was in immediately before I logged off and shut down.

Accessing msconfig shows a blank named file in start up, or it was as of a week ago.

As to past experience:

If memory serves, Eventually, FFx and IE will stop working and ULTIMATELY, the network icons in the taskbar disappear and my netcard is "not found" and internet is no longer accessible to me.

I'm in the "interim" period right now, evidently. No safe mode (without SuperAntiSPyware safeboot utility, I could not access it)

Restore is fried. No date will restore.

I will look around in the logs and see if I can see what i copied to that "disappeared" security folder of weird logs.

There's always a possibility that the FBI caught up with me......(lol just kidding)

If any of this makes sense to you, wonderful! It makes no sense at all to me. I"m not a geek (obviously). but I wish I were .

Also, the uninstall function will eventually stop sometime or other.

It is still running as of now.

And I won't do anything else to this computer until I hear from you~
Thanks again,

Bfann
:thumbup2:

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 06 July 2009 - 04:05 PM

Hi again bfann,

Thank you for the detailed description. The problem is obviously serious and we have to get to the bottom of it. Whatever it is, it is not showing on the DDS log.
So before going for fixes I need some in depth information.
  • Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

    Note: The logs are saved by default under the Logs tab. If the log did not automatically open you can obtain the latest log from there.

  • Go to start > Run copy/paste the following line in the run box and click OK.

    cmd /c (ipconfig /all&nslookup google.com&ping -n 2 google.com&route print) >log.txt&log.txt&del log.txt

    A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

  • Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#7 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 06 July 2009 - 07:07 PM

Hello again, farbar, and thanks for your patience.

Btw, I've noticed these 3 search programs run all the time,,,don't know if that's unusual or not. I don't remember seeing these running continuously in task manager before....SEARCHFILTERHOST.EXE, SEARCHPROTOCOLHOST.EXE SEARCHINDEXER.EXE.




Here's the GMER scan run after dis-enabling AVG resident shield, WinPatrol, and Agniturm FW just for good measure.


GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-06 19:46:26
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spsz.sys ZwEnumerateKey [0xF72A4DA4]
SSDT spsz.sys ZwEnumerateValueKey [0xF72A5132]
SSDT \??\C:\WINDOWS\system32\drivers\SandBox.sys (Host Protection Component/Agnitum Ltd.) ZwQueryDirectoryFile [0xF415E8A0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89CEC1F8
Device \FileSystem\Fastfat \Fat 88E401F8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

---- EOF - GMER 1.0.15 ----





Thanks!!

Bfann

#8 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 06 July 2009 - 07:19 PM

Hi bfann,

Seems you read the steps backwards. :thumbup2:
I'm afraid we are going to do a lot of redoing. :)
Do you prefer step by step or are able to do the steps fully and in the order they are written?

#9 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 07 July 2009 - 02:26 PM

Sorry, Farbar, Doing too many things simultaneously.

IF I re-read correctly, I did the following (in order):

1. Updated MalwareBytes and ran Quick Scan

2. Ran the CMD scan you requested ..you did not tell me to get offline, so I was connected when it ran. If incorrect, let me know:)

3. GMER:
Disabled Resident Shield on AVG 8.5, closed WinPatrol, disabled Agnitum. ( wasn't sure about that. It does pop up security things so if this was wrong, I'll redo it)
UNchecked Sections, IAT/EAT; only C: drive checked.
NO permission screen re: ROOTKIT SCAN displayed for me to deal with.
Ran GMER without interruption.

Copied all results for the above and have them to upload IF I did this correctly.

If I am so braindead that THIS is wrong, then I fear you will have to walk me through it 1 step at a time.

I will post the above results ASAP when you tell me I got it right.
IF NOT, then I guess it's on to baby steps ....

PLEASE let me know if
A. this is right or
B. *I* a Bleeping Idiot.:thumbup2:
(Feel free to say so)

Thanks for your patience.

Bfann

#10 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 07 July 2009 - 03:02 PM

bfann,

Open your Malwarebytes' Anti-Malware, first update it, run a "quick scan", let reboot if needed and copy/paste the log to your reply.

A command window opens. Wait until a log.txt file opens. Please post the content to your reply.

They both should be done while you are on line. So if you give me the log of the first two steps I have no complain at all. :thumbup2:

#11 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 07 July 2009 - 03:40 PM

Alrighty :thumbup2:

Here's the MalwareBytes scan, done online: It popped up that this program was trying to modify files and asked me to allow or not. Not knowing, assuming that was in case of infection it would fix it, I said OK.

Malwarebytes' Anti-Malware 1.38
Database version: 2383
Windows 5.1.2600 Service Pack 3

7/7/2009 4:15:23 PM
mbam-log-2009-07-07 (16-15-23).txt

Scan type: Quick Scan
Objects scanned: 83668
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


2. Here's the CMD run, while online





Windows IP Configuration Host Name . . . . . . . . . . . . : your-0cdc4f5844 Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : gateway.2wire.netEthernet adapter Local Area Connection: Media State . . . . . . . . . . . : Media disconnected Description . . . . . . . . . . . : NVIDIA nForce Networking Controller Physical Address. . . . . . . . . : 00-16-36-F7-0C-28Ethernet adapter Wireless Network Connection 2: Connection-specific DNS Suffix . : gateway.2wire.net Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN Physical Address. . . . . . . . . : 00-14-A5-E7-14-62 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.65 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.254 DHCP Server . . . . . . . . . . . : 192.168.1.254 DNS Servers . . . . . . . . . . . : 192.168.1.254 Lease Obtained. . . . . . . . . . : Tuesday, July 07, 2009 3:08:56 PM Lease Expires . . . . . . . . . . : Wednesday, July 08, 2009 3:08:56 PMServer: home
Address: 192.168.1.254

Name: google.com
Addresses: 74.125.127.100, 74.125.67.100, 74.125.45.100

Pinging google.com [74.125.45.100] with 32 bytes of data:Reply from 74.125.45.100: bytes=32 time=26ms TTL=48Reply from 74.125.45.100: bytes=32 time=20ms TTL=48Ping statistics for 74.125.45.100: Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 20ms, Maximum = 26ms, Average = 23ms===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 16 36 f7 0c 28 ...... NVIDIA nForce Networking Controller - Agnitum firewall miniport
0x3 ...00 14 a5 e7 14 62 ...... Broadcom 802.11b/g WLAN - Agnitum firewall miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.65 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.65 192.168.1.65 25
192.168.1.65 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.65 192.168.1.65 25
224.0.0.0 240.0.0.0 192.168.1.65 192.168.1.65 25
255.255.255.255 255.255.255.255 192.168.1.65 2 1
255.255.255.255 255.255.255.255 192.168.1.65 192.168.1.65 1
Default Gateway: 192.168.1.254
===========================================================================
Persistent Routes:
None




Again,

Gracias! :)

Bfann

#12 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 07 July 2009 - 04:06 PM

They look all good. :thumbup2:

Please do both of them.
  • You have the latest version of Java (Java 6 Update 14) and it is good. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components:
    Click "start" and then "Control Panel" icon.
    Doubleclick the "Add or Remove Programs" icon
    A list of programs installed will be "populated" this may take a bit of time.
    Uninstall the following by clicking on the following entries and selecting "remove":

    Java™ 6 Update 7

  • I see you have installed RadarSync Toolbar. This is known to be adware/trackware.
    Please go to Add/Remove Programs in Control Panel and uninstall:

    RadarSync
    RadarSync Toolbar


    Also delete the following folder: c:\program files\RadarSync

    Tell me when you have done that.


#13 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 07 July 2009 - 07:34 PM

Okay. Java 6 update 7 deleted. RadarSync and RadarSync Toolbar deleted. Folder deleted from C:.
Both done .

There were a few questions thrown up by Agnitum (I think) asking whether "to allow the application "UNWISE" to modify a critical object". I allowed it.
What IS "UNWISE" program, if you don't mind my asking? I've always wondered. It seems to pop up randomly on uninstalls.

Thanks :thumbup2:
Bfann

#14 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:02 AM

Posted 08 July 2009 - 04:26 AM

What IS "UNWISE" program

This is a part of programs using WISE installer and runs when you uninstall one of those programs.

Btw, I've noticed these 3 search programs run all the time,,,don't know if that's unusual or not. I don't remember seeing these running continuously in task manager before....SEARCHFILTERHOST.EXE, SEARCHPROTOCOLHOST.EXE SEARCHINDEXER.EXE.

These are part of Windows Search 4.0 program you have installed. If you don't use it you may uninstall it from Add/Remove Program.

++++++++++++

Please make sure you run ComboFix just once as I need to see the log of the first run. Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Information on A/V control HERE)
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

#15 bfann

bfann
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:02:02 AM

Posted 08 July 2009 - 08:11 PM

Hello farbar~

Here ya go....



ComboFix 09-07-08.04 - user 07/08/2009 20:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1533 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\documents\setup.exe
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\Drivers\mmjwv.sys

.
((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-09 00:30 . 2009-07-09 00:30 56623 ----a-w- c:\windows\system32\drivers\_ati1btxx.sys_.vir
2009-07-06 03:59 . 2009-07-06 03:59 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\KompoZer
2009-07-04 20:48 . 2009-07-04 20:48 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\AVG Security Toolbar
2009-07-04 20:38 . 2009-04-06 15:37 704384 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-07-04 20:38 . 2009-02-10 20:15 257432 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-07-04 20:36 . 2009-02-18 21:30 31128 ----a-w- c:\windows\system32\drivers\afw.sys
2009-07-04 20:36 . 2009-07-04 20:36 -------- d-----w- c:\program files\Agnitum
2009-07-04 20:36 . 2009-07-04 20:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Agnitum
2009-07-03 21:22 . 2009-06-29 19:28 106496 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Plugins\npcoolirisplugin.dll
2009-07-03 21:21 . 2009-06-29 19:28 937984 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-07-03 21:21 . 2009-06-29 19:28 65536 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-07-03 21:21 . 2009-06-29 19:28 106496 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\libs\npcoolirisplugin.dll
2009-07-03 21:21 . 2009-06-29 19:28 103424 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-07-03 21:21 . 2009-06-29 19:28 4734976 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-07-03 21:21 . 2009-06-29 19:28 344064 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-07-03 16:52 . 2009-06-14 20:07 1004800 ----a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-03 16:51 . 2009-07-03 16:51 -------- d-----w- C:\PDFZilla
2009-07-03 13:49 . 2009-06-30 00:09 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-03 13:49 . 2009-06-30 00:09 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-03 13:49 . 2009-06-30 00:09 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-03 13:49 . 2009-06-30 00:09 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-01 19:48 . 2009-07-01 20:14 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\.clamwin
2009-07-01 19:48 . 2009-07-01 19:48 -------- d-----w- c:\documents and settings\user\Application Data\.clamwin
2009-07-01 19:47 . 2009-07-01 23:39 -------- d-----w- c:\program files\ClamWin
2009-07-01 19:47 . 2009-07-01 19:47 -------- d-----w- c:\documents and settings\All Users\.clamwin
2009-06-30 03:36 . 2009-06-30 03:38 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\AVGTOOLBAR
2009-06-30 03:36 . 2009-06-30 03:38 -------- d-----w- c:\documents and settings\BrightFuture\Local Settings\Application Data\RadarSync
2009-06-30 01:21 . 2009-06-30 01:28 -------- d-----w- c:\program files\Free Internet Window Washer
2009-06-30 00:09 . 2009-07-03 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-30 00:09 . 2009-06-30 00:09 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-30 00:09 . 2009-07-06 21:37 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-30 00:09 . 2009-07-03 13:52 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-30 00:09 . 2009-07-03 13:52 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-30 00:09 . 2009-06-30 00:09 -------- d-----w- c:\documents and settings\user\Application Data\AVGTOOLBAR
2009-06-30 00:09 . 2009-06-30 00:09 -------- d-----w- c:\program files\AVG
2009-06-30 00:09 . 2009-06-30 00:09 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-29 23:29 . 2009-06-29 23:29 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-29 21:27 . 2009-06-29 21:27 -------- d-----w- c:\program files\EASEUS
2009-06-29 20:19 . 2001-08-18 02:36 8704 ----a-w- c:\windows\system32\kbdjpn.dll
2009-06-29 20:19 . 2001-08-18 02:36 8192 ----a-w- c:\windows\system32\kbdkor.dll
2009-06-29 20:19 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101c.dll
2009-06-29 20:19 . 2001-08-17 18:55 5632 ----a-w- c:\windows\system32\kbd103.dll
2009-06-29 20:19 . 2008-04-13 23:09 6144 ----a-w- c:\windows\system32\kbd106.dll
2009-06-29 20:19 . 2001-08-17 18:55 6144 ----a-w- c:\windows\system32\kbd101b.dll
2009-06-29 17:16 . 2009-06-29 23:28 -------- d-----w- c:\program files\EAV Antivirus Suite
2009-06-29 03:04 . 2009-06-29 03:04 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\PCToolsFirewallPlus
2009-06-29 02:47 . 2009-06-29 02:47 -------- d-----w- c:\documents and settings\user\Application Data\PCToolsFirewallPlus
2009-06-29 01:02 . 2009-06-29 01:02 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\livetvbar
2009-06-28 22:49 . 2009-06-28 22:49 -------- d-----w- c:\documents and settings\user\Application Data\Sonic
2009-06-28 22:47 . 2009-06-28 22:47 -------- d-----w- c:\program files\Common Files\TiVo Shared
2009-06-28 22:46 . 2009-06-28 22:46 -------- d-----w- c:\documents and settings\user\Application Data\Leadertech
2009-06-27 04:04 . 2009-03-25 04:25 809200 ----a-w- c:\documents and settings\BrightFuture\Application Data\Mozilla\Firefox\Profiles\lwwyzzc3.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
2009-06-24 20:54 . 2009-06-26 03:22 -------- d-----w- c:\program files\WebSite X5 Smart
2009-06-24 20:54 . 1997-01-16 04:00 29696 ----a-w- c:\windows\system32\VB5STKIT.DLL
2009-06-24 20:54 . 2007-08-29 16:54 185344 ----a-w- c:\windows\system32\iwpsetup.exe
2009-06-24 14:25 . 2009-06-24 14:25 -------- d-----w- c:\program files\Alwil Software
2009-06-23 21:17 . 2009-07-02 13:26 117760 ----a-w- c:\documents and settings\BrightFuture\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 21:15 . 2009-06-23 21:15 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\SUPERAntiSpyware.com
2009-06-23 21:13 . 2009-06-29 23:45 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 21:13 . 2009-06-23 21:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-23 21:12 . 2009-06-28 22:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-23 21:12 . 2009-06-23 21:12 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-06-23 21:11 . 2009-06-28 22:56 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-23 21:02 . 2009-06-23 21:02 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Help
2009-06-23 20:55 . 2009-06-23 20:55 -------- d-----w- c:\program files\Sophos
2009-06-23 15:16 . 2009-06-24 13:39 3715104 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-23 01:32 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 01:32 . 2009-06-23 01:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-23 01:32 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-22 04:48 . 2009-06-22 04:48 -------- d-----w- c:\documents and settings\user\Application Data\Audio Recorder Titanium
2009-06-22 04:48 . 2005-03-28 19:54 475136 ----a-w- c:\windows\system32\NCTAudioVisualizationEx2.dll
2009-06-22 04:48 . 2005-03-28 19:52 417792 ----a-w- c:\windows\system32\NCTTextToAudio2.dll
2009-06-22 04:48 . 2009-06-22 04:48 -------- d-----w- c:\program files\Audio Recorder Titanium
2009-06-21 06:09 . 2009-06-21 06:09 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\Malwarebytes
2009-06-20 22:06 . 2009-06-20 22:06 -------- d-----w- c:\program files\3D Image Commander
2009-06-20 22:04 . 2009-06-20 22:04 -------- d-----w- c:\documents and settings\BrightFuture\Local Settings\Application Data\Conduit
2009-06-20 22:04 . 2009-06-20 22:04 -------- d-----w- c:\documents and settings\BrightFuture\Local Settings\Application Data\livetvbar
2009-06-20 21:58 . 2009-06-20 21:58 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\WinPatrol
2009-06-20 18:38 . 2009-06-24 13:53 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\BitDefender
2009-06-20 16:29 . 2009-06-20 16:29 -------- d-----w- c:\documents and settings\user\Application Data\WinPatrol
2009-06-20 16:28 . 2009-06-20 16:28 -------- d-----w- c:\program files\BillP Studios
2009-06-20 04:52 . 2009-03-25 04:25 809200 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
2009-06-20 04:32 . 2009-06-20 04:32 -------- d-----w- c:\program files\KeyScrambler
2009-06-20 04:32 . 2009-01-18 21:24 114024 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2009-06-20 03:40 . 2009-06-25 22:44 -------- d-----w- c:\windows\system32\Adobe
2009-06-20 01:51 . 2009-06-20 01:51 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 23:42 . 2009-06-19 23:42 -------- d-----w- c:\documents and settings\user\log
2009-06-19 23:18 . 2009-06-19 23:18 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-06-19 23:18 . 2009-06-19 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 22:54 . 2009-06-19 22:54 -------- d-----w- c:\program files\Trend Micro
2009-06-19 19:32 . 2009-06-24 13:52 81984 ----a-w- c:\windows\system32\bdod.bin
2009-06-19 19:13 . 2009-06-19 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\BitDefender
2009-06-19 18:48 . 2009-06-24 13:53 -------- d-----w- c:\program files\Common Files\BitDefender
2009-06-18 18:55 . 2009-06-18 22:18 -------- d-----w- c:\windows\BDOSCAN8
2009-06-16 03:28 . 2009-07-08 00:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Conduit
2009-06-16 03:27 . 2009-07-08 00:21 -------- d-----w- c:\program files\Conduit
2009-06-16 03:13 . 2009-06-16 03:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2009-06-16 03:13 . 2009-06-16 03:30 -------- d-----w- c:\documents and settings\user\Application Data\Azureus
2009-06-14 11:32 . 2009-06-14 11:32 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\Cooliris
2009-06-14 11:32 . 2009-05-29 20:31 933888 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2009-06-14 11:32 . 2009-05-29 20:31 65536 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2009-06-14 11:32 . 2009-05-29 20:31 103424 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2009-06-14 11:32 . 2009-05-29 20:31 4616192 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\piclens@cooliris.com\libs\cooliris19.dll
2009-06-14 11:32 . 2009-05-29 20:31 344064 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2009-06-14 10:33 . 2009-06-14 10:36 -------- d-----w- c:\program files\Extra Screen Capture Pro
2009-06-14 09:39 . 2009-06-14 09:39 -------- d-----w- c:\documents and settings\BrightFuture\Local Settings\Application Data\Cooliris
2009-06-12 22:50 . 2009-06-12 22:50 -------- d-----w- c:\documents and settings\user\Application Data\iolo
2009-06-12 22:50 . 2009-06-12 22:50 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo
2009-06-12 19:21 . 2009-06-12 19:21 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\WorldWinner.com
2009-06-12 15:07 . 2009-06-12 15:07 -------- d-----w- c:\program files\filehippo.com
2009-06-12 14:44 . 2009-06-12 14:44 -------- d-----w- c:\documents and settings\user\Application Data\StarBurn
2009-06-11 18:29 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 18:29 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 00:19 . 2009-06-11 00:19 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\EnglishHarbourCasino

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 00:15 . 2009-04-28 05:03 -------- d-----w- c:\program files\Java
2009-07-06 15:29 . 2009-05-21 22:55 1 ----a-w- c:\documents and settings\BrightFuture\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-07-03 16:52 . 2009-07-03 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-06-29 20:15 . 2009-02-04 05:53 69080 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 17:51 . 2009-02-06 21:37 69080 ----a-w- c:\documents and settings\BrightFuture\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-29 16:25 . 2009-05-05 14:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-29 01:28 . 2006-09-19 13:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-28 20:22 . 2009-06-03 21:54 -------- d-----w- c:\program files\Reimage
2009-06-28 18:38 . 2009-02-11 03:25 -------- d-----w- c:\documents and settings\user\Application Data\Free Download Manager
2009-06-26 02:49 . 2006-09-19 15:12 -------- d-----w- c:\program files\Yahoo!
2009-06-25 15:07 . 2006-09-19 14:38 -------- d-----w- c:\program files\CONEXANT
2009-06-25 04:48 . 2009-02-11 04:54 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\Free Download Manager
2009-06-24 13:39 . 2009-06-23 15:16 44612 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-23 16:17 . 2009-05-21 20:55 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-20 03:43 . 2009-02-13 19:02 -------- d-----w- c:\program files\QuickTime Alternative
2009-06-20 03:08 . 2009-04-28 05:03 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-20 00:15 . 2009-05-05 14:47 -------- d-----w- c:\program files\Common Files\SourceTec
2009-06-18 19:58 . 2009-03-28 19:32 -------- d-----w- c:\program files\Free Window Registry Repair
2009-06-14 10:34 . 2009-06-06 18:45 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2009-06-12 14:37 . 2009-04-21 17:35 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-04 05:46 . 2009-06-04 05:46 -------- d-----w- c:\documents and settings\user\Application Data\Mp3 Music Editor
2009-06-04 05:45 . 2009-06-04 05:45 -------- d-----w- c:\program files\Mp3 Music Editor
2009-05-31 14:14 . 2009-05-31 14:11 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\SumatraPDF
2009-05-30 04:10 . 2009-05-30 04:10 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-30 04:09 . 2009-05-30 04:09 -------- d-----w- c:\program files\Give Away Of The Day
2009-05-29 17:53 . 2009-05-29 17:50 -------- d-----w- c:\documents and settings\user\Application Data\SumatraPDF
2009-05-27 22:15 . 2009-05-27 14:59 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-05-27 14:59 . 2009-05-27 14:59 -------- d-----w- c:\documents and settings\All Users\Application Data\MailFrontier
2009-05-27 14:53 . 2009-05-26 21:12 -------- d-----w- c:\program files\Winferno
2009-05-27 14:28 . 2009-05-27 14:28 23552 ----a-w- c:\windows\system32\drivers\phooks.sys
2009-05-26 21:13 . 2009-05-26 21:13 -------- d-----w- c:\program files\SumatraPDF
2009-05-26 21:11 . 2009-05-26 21:11 -------- d-----w- c:\documents and settings\user\Application Data\PriceGong
2009-05-26 20:31 . 2009-05-26 20:31 -------- d-----w- c:\program files\Secunia
2009-05-26 20:13 . 2009-04-28 05:03 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-05-26 20:10 . 2009-05-26 20:10 -------- d-----w- c:\program files\Common Files\xing shared
2009-05-26 20:10 . 2009-04-18 04:42 -------- d-----w- c:\program files\Common Files\Real
2009-05-26 19:53 . 2009-05-26 19:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-05-26 19:53 . 2009-05-26 19:53 -------- d-----w- c:\program files\NOS
2009-05-26 19:24 . 2009-05-26 19:24 -------- d-----w- c:\program files\Zone Labs
2009-05-26 17:03 . 2009-05-26 17:03 -------- d-----w- c:\program files\Tall Emu
2009-05-26 14:16 . 2006-06-29 18:43 92819 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-25 04:24 . 2008-05-27 02:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-25 03:12 . 2009-05-25 03:12 -------- d-----w- c:\documents and settings\user\Application Data\vlc
2009-05-25 02:53 . 2009-05-25 02:51 -------- d-----w- c:\documents and settings\user\Application Data\MozillaControl
2009-05-25 02:51 . 2009-05-25 02:51 -------- d-----w- c:\program files\${MOZILLA_ACTIVEX_DIR_NAME}
2009-05-25 02:36 . 2009-05-25 02:36 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\DivX
2009-05-25 00:12 . 2006-09-19 15:15 -------- d-----w- c:\program files\DivX
2009-05-25 00:11 . 2009-05-25 00:11 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-22 13:17 . 2009-05-20 03:17 -------- d-----w- c:\program files\Coupons
2009-05-21 22:54 . 2009-05-21 22:54 -------- d-----w- c:\documents and settings\BrightFuture\Application Data\OpenOffice.org
2009-05-21 21:26 . 2009-05-01 14:20 -------- d-----w- c:\documents and settings\user\Application Data\Canon
2009-05-21 20:53 . 2009-05-21 20:53 -------- d-----w- c:\documents and settings\user\Application Data\OpenOffice.org
2009-05-21 20:51 . 2009-05-21 20:51 -------- d-----w- c:\program files\JRE
2009-05-21 20:51 . 2009-05-21 20:51 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-21 20:23 . 2009-05-01 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanWizard
2009-05-21 20:23 . 2009-05-01 14:00 -------- d-----w- c:\documents and settings\All Users\Application Data\SSScanAppDataDir
2009-05-19 15:57 . 2009-05-19 15:57 -------- d-----w- c:\program files\GIMPshop
2009-05-19 13:05 . 2009-05-19 13:05 1380403 ----a-w- c:\windows\system32\avgsdk.dll
2009-05-16 20:08 . 2009-05-16 20:08 -------- d-----w- c:\program files\Microsoft Silverlight
2009-05-13 05:15 . 2006-03-16 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 19:12 . 2005-10-14 03:22 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-12 00:26 . 2009-05-04 17:34 -------- d-----w- c:\documents and settings\user\Application Data\Systweak
2009-05-12 00:26 . 2009-05-04 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Systweak
2009-05-07 15:32 . 2006-03-16 04:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 16:17 . 2009-02-14 15:49 352 ----a-w- c:\documents and settings\user\Application Data\wklnhst.dat
2009-04-26 18:48 . 2009-04-26 18:48 152576 ----a-w- c:\documents and settings\BrightFuture\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-24 23:26 . 2009-02-14 00:49 710 ----a-w- c:\documents and settings\BrightFuture\Application Data\wklnhst.dat
2009-04-17 12:26 . 2006-03-16 04:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2006-03-16 04:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 20:07 1004800 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-18 7585792]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-06-01 341312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-04-28 2374464]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall\feedback.exe" [2009-04-28 428032]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-20 148888]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk.disabled [2006-9-19 1719]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 13:52 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Pavilion Webcam Tray Icon.lnk]
backup=c:\windows\pss\HP Pavilion Webcam Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^StartUp^OpenOffice.org 3.0.lnk]
backup=c:\windows\pss\OpenOffice.org 3.0.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^StartUp^Secunia PSI.lnk]
backup=c:\windows\pss\Secunia PSI.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG8_TRAY
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Software Informer
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tucan

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"idsvc"=3 (0x3)
"CiSvc"=3 (0x3)
"TrkWks"=2 (0x2)
"Schedule"=2 (0x2)
"LightScribeService"=2 (0x2)
"getPlusŪ Helper"=3 (0x3)
"RSVP"=3 (0x3)
"Spooler"=2 (0x2)
"vsmon"=2 (0x2)
"TapiSrv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"FontCache3.0.0.0"=3 (0x3)
"WudfSvc"=3 (0x3)
"IDriverT"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Free Download Manager"="c:\program files\Free Download Manager\fdm.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"NvCplDaemon"=RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
"ehTray"=c:\windows\ehome\ehtray.exe
"QPService"="c:\program files\HP\QuickPlay\QPService.exe"
"SynTPEnh"=c:\program files\Synaptics\SynTP\SynTPEnh.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [4/21/2009 1:00 PM 28544]
R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [5/27/2009 10:28 AM 23552]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/29/2009 8:09 PM 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/29/2009 8:09 PM 108552]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [7/4/2009 4:38 PM 704384]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\drivers\StarPortLite.sys [5/30/2009 12:09 AM 95592]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [7/4/2009 4:36 PM 1195008]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/29/2009 8:09 PM 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 8:09 PM 298776]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [7/4/2009 4:36 PM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [7/4/2009 4:38 PM 257432]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [6/20/2009 12:32 AM 114024]
S3 cpuz128;cpuz128;\??\c:\docume~1\user\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\user\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 KernlProD;KernlProD;\??\c:\windows\system32\ntkrlmon.sys --> c:\windows\system32\ntkrlmon.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3.tmp --> c:\windows\system32\3.tmp [?]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [3/24/2009 7:03 AM 7808]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S4 getPlusŪ Helper;getPlusŪ Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [5/26/2009 3:53 PM 33176]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-05-27 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-03-25 13:49]

2009-05-27 c:\windows\Tasks\User_Feed_Synchronization-{3EF6F562-68AB-4FAB-9E64-4CBEF070D5EB}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]

2009-05-27 c:\windows\Tasks\User_Feed_Synchronization-{BCC4CD89-FF1B-44C3-8244-83F9FAAD1A17}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{4F07DA45-8170-4859-9B5F-037EF2970034} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/go/notebookaccessories
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo! Search
FF - prefs.js: browser.startup.homepage - hxxp://home.jzip.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\8x87cm5g.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\3.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-07-09 20:33
ComboFix-quarantined-files.txt 2009-07-09 00:33

Pre-Run: 73,892,577,280 bytes free
Post-Run: 73,884,024,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /fastdetect /NoExecute=OptIn

420 --- E O F --- 2009-06-12 13:28



FYI thefile downloaded from the first link wouldn't run...said something about the Combofx file being split...?
Second link worked fine.
It did install the recovery files and then deleted a bunch of files that made my heart lurch.
I could just see this laptop in its new life as a paperweight....lol

:::bowing head in humble gratitude for your tenacity...:::
BF


PS Since running this program I get this via WinPatrol:

Win Patrol keeps popping this up now:

"Run dll as an App:

c:\Windows\system32\rundll32.exe C\windows\system32\ieframe.dll , Open Url%|

A change was made to use the following program for this file type:

Run Dll as an App

rundll32.exe ieframe.dll , Open Url%|

Is this change ok?
"

I have no clue. is it?

Edited by bfann, 08 July 2009 - 08:26 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users