Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

red X in taskbar says "the media system on your computer is corupt. update your sound and media codec"


  • This topic is locked This topic is locked
37 replies to this topic

#1 phatl

phatl

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 01 July 2009 - 07:13 PM

Opened a .asx file it opened IE automatically and I knew i was screwed. Ran Avira and found a bunch of trojans/virii... Came here for help.

Only noticeable changes are the red x icon in the taskbar and when I crtl-alt-del task manager is blocked.

Thanks in advance



DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 19:04:08.64 on Wed 07/01/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1285 [GMT -5:00]


============== Running Processes ===============

K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
K:\Program Files\AvaFind\AvaFind.exe
K:\WINDOWS\system32\RUNDLL32.EXE
O:\Zune\ZuneLauncher.exe
K:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
K:\WINDOWS\system32\mediacodec.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Windows Media Player\WMPNSCFG.exe
K:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
K:\Program Files\Wallpaper Master\Wallpaper.exe
K:\Program Files\Bonjour\mDNSResponder.exe
K:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\WINDOWS\system32\svchost.exe -k netsvcs
K:\WINDOWS\system32\nvsvc32.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
K:\WINDOWS\system32\svchost.exe -k imgsvc
K:\WINDOWS\system32\ZuneBusEnum.exe
K:\WINDOWS\System32\svchost.exe
K:\Program Files\Opera 10 Preview\opera.exe
K:\WINDOWS\system32\wuauclt.exe
K:\Documents and Settings\Matt\Desktop\dds.scr
K:\Documents and Settings\Matt\Matt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=k:\windows\system32\userinit.exe,k:\docume~1\matt\locals~1\temp\905.exe,
uRun: [ctfmon.exe] k:\windows\system32\ctfmon.exe
uRun: [Google Update] "k:\documents and settings\matt\local settings\application

data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] k:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] k:\windows\temp\vz2rk.exe
uRun: [Matt] k:\documents and settings\matt\Matt.exe /i
mRun: [AvaFind] "k:\program files\avafind\AvaFind.exe" /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "k:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "k:\program files\windows defender\MSASCui.exe" -hide
mRun: [Zune Launcher] "o:\zune\ZuneLauncher.exe"
mRun: [SoundMAXPnP] k:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "k:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [avgnt] "k:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [mediacodec.exe] k:\windows\system32\mediacodec.exe
StartupFolder: k:\docume~1\matt\startm~1\programs\startup\wallpa~1.lnk - k:\program

files\wallpaper master\Wallpaper.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - k:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - k:\program

files\java\jre1.6.0_02\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - k:\program

files\winhttrack\WinHTTrackIEBar.dll
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} -

hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -

hxxp://www.eset.eu/buxus/docs/programs/OnlineScanner.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} -

hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -

hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237664390

359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -

hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -

hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\manson\liser.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

k:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} -

k:\progra~1\window~3\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program

files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 k:\windows\system32\nnnkIcyy

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {ACF3804D-BA7D-4596-A80E-EADE7FCCA105} - k:\documents and

settings\matt\local settings\application data\{ACF3804D-BA7D-4596-A80E-EADE7FCCA105}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla

firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled",

true);
k:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText",

"noAccess");
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
k:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect",

true);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input",

true);
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
k:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
k:\program files\mozilla firefox\greprefs\security-prefs.js -

pref("security.remember_cert_checkbox_default_setting", true);
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js -

pref("browser.search.param.yahoo-fr-cjkt", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level",

2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed",

"~");
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.urlbar.default.behavior", 0);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.clearOnShutdown.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords",

false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions",

true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps",

false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings",

false);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("privacy.sanitize.migrateFx3Prefs", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior",

2);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("security.alternate_certificate_error_page", "certerror");
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.autostart", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js -

pref("browser.privatebrowsing.dont_prompt_on_enter", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri",

"https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R?2 msncache;msncache;k:\windows\system32\svchost.exe -k netsvcs [2007-7-27 14336]
R0 PzWDM;PzWDM;k:\windows\system32\drivers\PzWDM.sys [2006-2-22 15172]
R1 avgio;avgio;k:\program files\avira\antivir desktop\avgio.sys [2009-5-28 11608]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;k:\program files\avira\antivir

desktop\sched.exe [2009-5-28 108289]
R2 avgntflt;avgntflt;k:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R3 SASENUM;SASENUM;k:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S0 NVStrap;NVStrap;k:\windows\system32\drivers\NVStrap.sys [2006-2-14 3712]
S1 SysTool;SysTool Overclocking Utility;k:\windows\system32\drivers\SysTool.sys [2006-11-10

24064]
S2 ati64si;ati64si;\??\k:\windows\system32\drivers\ati64si.sys -->

k:\windows\system32\drivers\ati64si.sys [?]
S2 fips32cup;fips32cup;k:\windows\system32\drivers\fips32cup.sys [2007-7-27 41216]
S2 WinDefend;Windows Defender;k:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COMMONFX.SYS;COMMONFX.SYS;k:\windows\system32\drivers\commonfx.sys -->

k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;k:\windows\system32\drivers\commonfx.sys -->

k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CT20XUT.SYS;CT20XUT.SYS;k:\windows\system32\drivers\ct20xut.sys -->

k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CT20XUT;CT20XUT;k:\windows\system32\drivers\ct20xut.sys -->

k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;k:\windows\system32\drivers\ctaudfx.sys -->

k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;k:\windows\system32\drivers\ctaudfx.sys -->

k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;k:\windows\system32\drivers\cteapsfx.sys -->

k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEAPSFX;CTEAPSFX;k:\windows\system32\drivers\cteapsfx.sys -->

k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;k:\windows\system32\drivers\ctedspfx.sys -->

k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPFX;CTEDSPFX;k:\windows\system32\drivers\ctedspfx.sys -->

k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;k:\windows\system32\drivers\ctedspio.sys -->

k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPIO;CTEDSPIO;k:\windows\system32\drivers\ctedspio.sys -->

k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;k:\windows\system32\drivers\ctedspsy.sys -->

k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTEDSPSY;CTEDSPSY;k:\windows\system32\drivers\ctedspsy.sys -->

k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;k:\windows\system32\drivers\cterfxfx.sys -->

k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;k:\windows\system32\drivers\cterfxfx.sys -->

k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;k:\windows\system32\drivers\ctexfifx.sys -->

k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTEXFIFX;CTEXFIFX;k:\windows\system32\drivers\ctexfifx.sys -->

k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;k:\windows\system32\drivers\cthwiut.sys -->

k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;k:\windows\system32\drivers\cthwiut.sys -->

k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;k:\windows\system32\drivers\ctsblfx.sys -->

k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;k:\windows\system32\drivers\ctsblfx.sys -->

k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 kxwdmdrv;kX WDM Driver Service;k:\windows\system32\drivers\kx.sys -->

k:\windows\system32\drivers\kx.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;k:\windows\system32\drivers\LtcyCfgWDM.sys

[2005-12-26 6656]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);k:\windows\system32\drivers\xbreader.sys

[2001-1-3 19677]
S4 AntiVirService;Avira AntiVir Guard;k:\program files\avira\antivir desktop\avguard.exe

[2009-5-28 185089]

=============== Created Last 30 ================

2009-06-30 20:20 <DIR> --d----- k:\docume~1\alluse~1\applic~1\18641404
2009-06-30 20:20 21,693 ----h--- k:\documents and settings\matt\Matt.exe
2009-06-30 20:19 <DIR> --d----- k:\program files\%windir%

==================== Find3M ====================

2008-09-05 18:28 880,128 a--sh--- k:\windows\system32\yycIknnn.ini2
2008-09-06 02:29 32,768 a--sh--- k:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 19:07:01.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:53 AM

Posted 06 July 2009 - 09:12 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 06 July 2009 - 09:25 PM

haven't touched the computer really since posting the other day.



DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 21:22:05.66 on Mon 07/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1527 [GMT -5:00]


============== Running Processes ===============

K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
K:\Program Files\AvaFind\AvaFind.exe
K:\WINDOWS\system32\RUNDLL32.EXE
O:\Zune\ZuneLauncher.exe
K:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
K:\WINDOWS\system32\mediacodec.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Windows Media Player\WMPNSCFG.exe
svchost.exe
K:\Program Files\Wallpaper Master\Wallpaper.exe
K:\WINDOWS\system32\rundll32.exe
K:\Program Files\Bonjour\mDNSResponder.exe
K:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\WINDOWS\system32\svchost.exe -k netsvcs
K:\WINDOWS\system32\nvsvc32.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
K:\WINDOWS\system32\svchost.exe -k imgsvc
K:\WINDOWS\system32\ZuneBusEnum.exe
K:\WINDOWS\system32\wuauclt.exe
K:\WINDOWS\system32\wuauclt.exe
K:\Documents and Settings\Matt\Desktop\dds.scr
K:\Documents and Settings\Matt\Matt.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=k:\windows\system32\userinit.exe,k:\docume~1\matt\locals~1\temp\905.exe,
uRun: [ctfmon.exe] k:\windows\system32\ctfmon.exe
uRun: [Google Update] "k:\documents and settings\matt\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] k:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] k:\windows\temp\vz2rk.exe
uRun: [Matt] k:\documents and settings\matt\Matt.exe /i
mRun: [AvaFind] "k:\program files\avafind\AvaFind.exe" /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "k:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "k:\program files\windows defender\MSASCui.exe" -hide
mRun: [Zune Launcher] "o:\zune\ZuneLauncher.exe"
mRun: [SoundMAXPnP] k:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "k:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [avgnt] "k:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [mediacodec.exe] k:\windows\system32\mediacodec.exe
StartupFolder: k:\docume~1\matt\startm~1\programs\startup\wallpa~1.lnk - k:\program files\wallpaper master\Wallpaper.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - k:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - k:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - k:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/programs/OnlineScanner.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237664390359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: c:\progra~1\manson\liser.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - k:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - k:\progra~1\window~3\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 k:\windows\system32\nnnkIcyy

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: XUL Cache: {ACF3804D-BA7D-4596-A80E-EADE7FCCA105} - k:\documents and settings\matt\local settings\application data\{ACF3804D-BA7D-4596-A80E-EADE7FCCA105}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
k:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
k:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
k:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R?2 msncache;msncache;k:\windows\system32\svchost.exe -k netsvcs [2007-7-27 14336]
R0 PzWDM;PzWDM;k:\windows\system32\drivers\PzWDM.sys [2006-2-22 15172]
R1 avgio;avgio;k:\program files\avira\antivir desktop\avgio.sys [2009-5-28 11608]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;k:\program files\avira\antivir desktop\sched.exe [2009-5-28 108289]
R2 avgntflt;avgntflt;k:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R3 SASENUM;SASENUM;k:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S0 NVStrap;NVStrap;k:\windows\system32\drivers\NVStrap.sys [2006-2-14 3712]
S1 SysTool;SysTool Overclocking Utility;k:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
S2 ati64si;ati64si;\??\k:\windows\system32\drivers\ati64si.sys --> k:\windows\system32\drivers\ati64si.sys [?]
S2 fips32cup;fips32cup;k:\windows\system32\drivers\fips32cup.sys [2007-7-27 41216]
S2 ksi32sk;ksi32sk;k:\windows\system32\drivers\ksi32sk.sys [2004-8-3 41216]
S2 WinDefend;Windows Defender;k:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COMMONFX.SYS;COMMONFX.SYS;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CT20XUT.SYS;CT20XUT.SYS;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CT20XUT;CT20XUT;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEAPSFX;CTEAPSFX;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPFX;CTEDSPFX;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPIO;CTEDSPIO;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTEDSPSY;CTEDSPSY;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTEXFIFX;CTEXFIFX;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 kxwdmdrv;kX WDM Driver Service;k:\windows\system32\drivers\kx.sys --> k:\windows\system32\drivers\kx.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;k:\windows\system32\drivers\LtcyCfgWDM.sys [2005-12-26 6656]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);k:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]
S4 AntiVirService;Avira AntiVir Guard;k:\program files\avira\antivir desktop\avguard.exe [2009-5-28 185089]

=============== Created Last 30 ================

2009-06-30 20:20 <DIR> --d----- k:\docume~1\alluse~1\applic~1\18641404
2009-06-30 20:20 21,693 ----h--- k:\documents and settings\matt\Matt.exe
2009-06-30 20:19 <DIR> --d----- k:\program files\%windir%

==================== Find3M ====================

2008-09-05 18:28 880,128 a--sh--- k:\windows\system32\yycIknnn.ini2
2008-09-06 02:29 32,768 a--sh--- k:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 21:24:42.55 ===============

Attached Files



#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 08 July 2009 - 04:26 AM

Hi,

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 08 July 2009 - 11:05 PM

ok the first run through it got to step 50 finished but didn't produce a log. everything is still messed up. i am going to run it again.

#6 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 08 July 2009 - 11:26 PM

ok here they are

combofix

ComboFix 09-07-08.04 - Matt 07/08/2009 23:08.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1787 [GMT -5:00]
Running from: k:\documents and settings\Matt\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

k:\documents and settings\All Users\Application Data\13371564
k:\documents and settings\All Users\Application Data\13371564\13371564
k:\documents and settings\All Users\Application Data\13371564\13371564.exe
k:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
k:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
k:\documents and settings\Matt\Application Data\inst.exe
k:\documents and settings\Matt\Application Data\wiaserva.log
k:\documents and settings\Matt\Application Data\wiaservg.log
k:\documents and settings\Matt\Desktop\System Security 2009.lnk
k:\documents and settings\Matt\Matt.exe
k:\documents and settings\Matt\oashdihasidhasuidhiasdhiashdiuasdhasd
k:\documents and settings\Matt\Start Menu\Programs\System Security
k:\documents and settings\Matt\Start Menu\Programs\System Security\System Security
k:\windows\Install.txt
k:\windows\system32\drivers\fips32cup.sys
k:\windows\system32\drivers\hjgruiaxluriio.sys
k:\windows\system32\drivers\ksi32sk.sys
k:\windows\system32\drivers\nicsk32.sys
k:\windows\system32\hjgruifcgcnhvi.dat
k:\windows\system32\hjgruijdcuveth.dll
k:\windows\system32\hjgruildgmpwkb.dll
k:\windows\system32\hjgruinlkeytrk.dat
k:\windows\system32\Install.txt
k:\windows\system32\wiawow32.sys
k:\windows\system32\wlhnte.dll
k:\windows\system32\yycIknnn.ini
k:\windows\system32\yycIknnn.ini2
k:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
.
---- Previous Run -------
.
k:\windows\system32\drivers\msqpdxewbeexue.sys
k:\windows\system32\msqpdxdxvmpxto.dll

----- BITS: Possible infected sites -----

hxxp://binuser.fileave.com
k:\windows\system32\accwiz.exe . . . is infected!!

k:\windows\system32\actmovie.exe . . . is infected!!

k:\windows\system32\ahui.exe . . . is infected!!

k:\windows\system32\asr_fmt.exe . . . is infected!!

k:\windows\system32\asr_pfu.exe . . . is infected!!

k:\windows\system32\at.exe . . . is infected!!

k:\windows\system32\atmadm.exe . . . is infected!!

k:\windows\system32\attrib.exe . . . is infected!!

k:\windows\system32\auditusr.exe . . . is infected!!

k:\windows\system32\blastcln.exe . . . is infected!!

k:\windows\system32\bootcfg.exe . . . is infected!!

k:\windows\system32\cacls.exe . . . is infected!!

k:\windows\system32\cipher.exe . . . is infected!!

k:\windows\system32\cisvc.exe . . . is infected!!

k:\windows\system32\cleanmgr.exe . . . is infected!!

k:\windows\system32\clipbrd.exe . . . is infected!!

k:\windows\system32\clipsrv.exe . . . is infected!!

k:\windows\system32\cmd.exe . . . is infected!!

k:\windows\system32\cmdl32.exe . . . is infected!!

k:\windows\system32\cmmon32.exe . . . is infected!!

k:\windows\system32\cmstp.exe . . . is infected!!

k:\windows\system32\conime.exe . . . is infected!!

k:\windows\system32\dcomcnfg.exe . . . is infected!!

k:\windows\system32\ddeshare.exe . . . is infected!!

k:\windows\system32\defrag.exe . . . is infected!!

k:\windows\system32\dfrgfat.exe . . . is infected!!

k:\windows\system32\dfrgntfs.exe . . . is infected!!

k:\windows\system32\diantz.exe . . . is infected!!

k:\windows\system32\diskpart.exe . . . is infected!!

k:\windows\system32\dllhost.exe . . . is infected!!

k:\windows\system32\dmadmin.exe . . . is infected!!

k:\windows\system32\dmremote.exe . . . is infected!!

k:\windows\system32\driverquery.exe . . . is infected!!

k:\windows\system32\dumprep.exe . . . is infected!!

k:\windows\system32\dvdupgrd.exe . . . is infected!!

k:\windows\system32\dwwin.exe . . . is infected!!

k:\windows\system32\eudcedit.exe . . . is infected!!

k:\windows\system32\eventcreate.exe . . . is infected!!

k:\windows\system32\eventtriggers.exe . . . is infected!!

k:\windows\system32\extrac32.exe . . . is infected!!

k:\windows\system32\findstr.exe . . . is infected!!

k:\windows\system32\fltmc.exe . . . is infected!!

k:\windows\system32\fontview.exe . . . is infected!!

k:\windows\system32\forcedos.exe . . . is infected!!

k:\windows\system32\fsquirt.exe . . . is infected!!

k:\windows\system32\ftp.exe . . . is infected!!

k:\windows\system32\getmac.exe . . . is infected!!

k:\windows\system32\gpresult.exe . . . is infected!!

k:\windows\system32\grpconv.exe . . . is infected!!

k:\windows\system32\help.exe . . . is infected!!

k:\windows\system32\iexpress.exe . . . is infected!!

k:\windows\system32\imapi.exe . . . is infected!!

k:\windows\system32\ipconfig.exe . . . is infected!!

k:\windows\system32\ipv6.exe . . . is infected!!

k:\windows\system32\ipxroute.exe . . . is infected!!

k:\windows\system32\locator.exe . . . is infected!!

k:\windows\system32\logman.exe . . . is infected!!

k:\windows\system32\logonui.exe . . . is infected!!

k:\windows\system32\magnify.exe . . . is infected!!

k:\windows\system32\makecab.exe . . . is infected!!

k:\windows\system32\mmc.exe . . . is infected!!

k:\windows\system32\mmcperf.exe . . . is infected!!

k:\windows\system32\mnmsrvc.exe . . . is infected!!

k:\windows\system32\mobsync.exe . . . is infected!!

k:\windows\system32\mqbkup.exe . . . is infected!!

k:\windows\system32\mqtgsvc.exe . . . is infected!!

k:\windows\system32\msdtc.exe . . . is infected!!

k:\windows\system32\msiexec.exe . . . is infected!!

k:\windows\system32\msiregmv.exe . . . is infected!!

k:\windows\system32\mspaint.exe . . . is infected!!

k:\windows\system32\mstinit.exe . . . is infected!!

k:\windows\system32\napstat.exe . . . is infected!!

k:\windows\system32\narrator.exe . . . is infected!!

k:\windows\system32\nddeapir.exe . . . is infected!!

k:\windows\system32\net.exe . . . is infected!!

k:\windows\system32\net1.exe . . . is infected!!

k:\windows\system32\netdde.exe . . . is infected!!

k:\windows\system32\netsetup.exe . . . is infected!!

k:\windows\system32\netsh.exe . . . is infected!!

k:\windows\system32\netstat.exe . . . is infected!!

k:\windows\system32\nslookup.exe . . . is infected!!

k:\windows\system32\ntbackup.exe . . . is infected!!

k:\windows\system32\ntvdm.exe . . . is infected!!

k:\windows\system32\odbcad32.exe . . . is infected!!

k:\windows\system32\odbcconf.exe . . . is infected!!

k:\windows\system32\openfiles.exe . . . is infected!!

k:\windows\system32\osk.exe . . . is infected!!

k:\windows\system32\packager.exe . . . is infected!!

k:\windows\system32\perfmon.exe . . . is infected!!

k:\windows\system32\ping.exe . . . is infected!!

k:\windows\system32\powercfg.exe . . . is infected!!

k:\windows\system32\proquota.exe . . . is infected!!

k:\windows\system32\proxycfg.exe . . . is infected!!

k:\windows\system32\qprocess.exe . . . is infected!!

k:\windows\system32\rasphone.exe . . . is infected!!

k:\windows\system32\rcimlby.exe . . . is infected!!

k:\windows\system32\rcp.exe . . . is infected!!

k:\windows\system32\rdpclip.exe . . . is infected!!

k:\windows\system32\rdsaddin.exe . . . is infected!!

k:\windows\system32\rdshost.exe . . . is infected!!

k:\windows\system32\reg.exe . . . is infected!!

k:\windows\system32\regsvr32.exe . . . is infected!!

k:\windows\system32\rexec.exe . . . is infected!!

k:\windows\system32\rsh.exe . . . is infected!!

k:\windows\system32\rsnotify.exe . . . is infected!!

k:\windows\system32\rtcshare.exe . . . is infected!!

k:\windows\system32\runonce.exe . . . is infected!!

k:\windows\system32\savedump.exe . . . is infected!!

k:\windows\system32\scardsvr.exe . . . is infected!!

k:\windows\system32\schtasks.exe . . . is infected!!

k:\windows\system32\sdbinst.exe . . . is infected!!

k:\windows\system32\secedit.exe . . . is infected!!

k:\windows\system32\sessmgr.exe . . . is infected!!

k:\windows\system32\sethc.exe . . . is infected!!

Infected copy of k:\windows\system32\setup.exe was found and disinfected
Restored copy from - k:\windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

k:\windows\system32\setupn.exe . . . is infected!!

k:\windows\system32\shmgrate.exe . . . is infected!!

k:\windows\system32\shrpubw.exe . . . is infected!!

k:\windows\system32\shutdown.exe . . . is infected!!

k:\windows\system32\sigverif.exe . . . is infected!!

k:\windows\system32\skeys.exe . . . is infected!!

k:\windows\system32\slserv.exe . . . is infected!!

k:\windows\system32\smbinst.exe . . . is infected!!

k:\windows\system32\smlogsvc.exe . . . is infected!!

k:\windows\system32\sndrec32.exe . . . is infected!!

k:\windows\system32\sort.exe . . . is infected!!

k:\windows\system32\spider.exe . . . is infected!!

k:\windows\system32\spiisupd.exe . . . is infected!!

k:\windows\system32\spnpinst.exe . . . is infected!!

k:\windows\system32\stimon.exe . . . is infected!!

k:\windows\system32\sysocmgr.exe . . . is infected!!

k:\windows\system32\systeminfo.exe . . . is infected!!

k:\windows\system32\taskkill.exe . . . is infected!!

k:\windows\system32\tasklist.exe . . . is infected!!

k:\windows\system32\taskmgr.exe . . . is infected!!

k:\windows\system32\telnet.exe . . . is infected!!

k:\windows\system32\tlntadmn.exe . . . is infected!!

k:\windows\system32\tlntsess.exe . . . is infected!!

k:\windows\system32\tlntsvr.exe . . . is infected!!

k:\windows\system32\tourstart.exe . . . is infected!!

k:\windows\system32\tracerpt.exe . . . is infected!!

k:\windows\system32\tracert.exe . . . is infected!!

k:\windows\system32\upnpcont.exe . . . is infected!!

k:\windows\system32\ups.exe . . . is infected!!

k:\windows\system32\userinit.exe . . . is infected!!

k:\windows\system32\utilman.exe . . . is infected!!

k:\windows\system32\vssvc.exe . . . is infected!!

k:\windows\system32\wextract.exe . . . is infected!!

k:\windows\system32\wiaacmgr.exe . . . is infected!!

k:\windows\system32\winver.exe . . . is infected!!

k:\windows\system32\wpabaln.exe . . . is infected!!

k:\windows\system32\wpnpinst.exe . . . is infected!!

k:\windows\system32\wscntfy.exe . . . is infected!!

k:\windows\system32\wuauclt1.exe . . . is infected!!

k:\windows\system32\xcopy.exe . . . is infected!!

k:\windows\system32\Com\comrepl.exe . . . is infected!!

k:\windows\system32\Com\comrereg.exe . . . is infected!!

k:\windows\system32\npp\nppagent.exe . . . is infected!!

k:\windows\system32\oobe\msoobe.exe . . . is infected!!

k:\windows\system32\oobe\oobebaln.exe . . . is infected!!

k:\windows\system32\Restore\rstrui.exe . . . is infected!!

k:\windows\system32\usmt\migload.exe . . . is infected!!

k:\windows\system32\usmt\migwiz.exe . . . is infected!!

k:\windows\system32\usmt\migwiza.exe . . . is infected!!

k:\windows\system32\wbem\mofcomp.exe . . . is infected!!

k:\windows\system32\wbem\scrcons.exe . . . is infected!!

k:\windows\system32\wbem\wbemtest.exe . . . is infected!!

k:\windows\system32\wbem\wmiadap.exe . . . is infected!!

k:\windows\system32\wbem\wmiapsrv.exe . . . is infected!!

k:\windows\system32\wbem\wmic.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_MSQPDXSERV.SYS
-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_KSI32SK
-------\Legacy_MSNCACHE
-------\Legacy_NICSK32
-------\Legacy_ATI64SI
-------\Legacy_FIPS32CUP
-------\Legacy_KSI32SK
-------\Legacy_MSNCACHE
-------\Legacy_NICSK32
-------\Service_ati64si
-------\Service_fips32cup
-------\Service_ksi32sk
-------\Service_msncache
-------\Service_nicsk32
-------\Service_hjgruitpyeoijp


((((((((((((((((((((((((( Files Created from 2009-06-09 to 2009-07-09 )))))))))))))))))))))))))))))))
.

2009-07-07 14:12 . 2009-07-07 14:12 -------- d-sh--w- k:\windows\system32\config\systemprofile\PrivacIE
2009-07-01 01:44 . 2009-07-01 01:44 -------- d-sh--w- k:\windows\system32\config\systemprofile\IETldCache
2009-07-01 01:40 . 2008-04-13 18:51 60800 ----a-w- k:\windows\system32\drivers\arp1394.sys
2009-07-01 01:40 . 2008-04-13 16:39 142592 ----a-w- k:\windows\system32\drivers\aec.sys
2009-07-01 01:40 . 2003-03-14 00:34 100224 ----a-w- k:\windows\system32\drivers\aeaudio.sys
2009-07-01 01:20 . 2009-07-01 17:00 -------- d-----w- k:\documents and settings\All Users\Application Data\18641404
2009-07-01 01:19 . 2009-07-01 01:19 -------- d-----w- k:\program files\%windir%
2009-07-01 01:19 . 2009-07-01 01:19 23552 ----a-w- k:\windows\system32\mediacodec.exe
2009-06-30 05:30 . 2009-06-30 05:30 -------- d-----w- K:\spoon
2009-06-10 12:35 . 2009-04-30 21:22 12800 -c----w- k:\windows\system32\dllcache\xpshims.dll
2009-06-10 12:35 . 2009-04-30 21:22 246272 -c----w- k:\windows\system32\dllcache\ieproxy.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-09 04:18 . 2009-03-30 00:42 117760 ----a-w- k:\documents and settings\Matt\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-07-09 04:18 . 2006-07-20 03:37 -------- d-----w- k:\documents and settings\Matt\Application Data\AvaFind Data
2009-07-02 01:05 . 2008-09-10 00:20 -------- d-----w- k:\program files\Malwarebytes' Anti-Malware
2009-07-02 01:05 . 2008-12-31 05:43 3561743 ----a-w- k:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-01 17:19 . 2009-03-30 00:40 -------- d-----w- k:\program files\HDD Regenerator
2009-06-30 05:32 . 2006-02-22 00:49 -------- d-----w- k:\program files\Soulseek
2009-06-28 19:33 . 2006-06-10 19:35 -------- d-----w- k:\documents and settings\Matt\Application Data\uTorrent
2009-06-26 03:15 . 2008-07-17 23:17 -------- d-----w- k:\program files\SUPERAntiSpyware
2009-06-26 03:14 . 2009-02-18 03:17 -------- d-----w- k:\program files\Opera 10 Preview
2009-06-24 02:04 . 2006-02-14 00:43 -------- d-----w- k:\program files\Soulseek-Test
2009-06-17 16:27 . 2008-09-10 00:20 38160 ----a-w- k:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2008-09-10 00:20 19096 ----a-w- k:\windows\system32\drivers\mbam.sys
2009-06-13 18:45 . 2006-05-25 23:10 -------- d-----w- k:\program files\GrabIt
2009-06-08 17:07 . 2009-06-08 17:07 232200 ----a-w- k:\windows\system32\PDBoot.exe
2009-06-08 15:00 . 2009-06-08 15:00 71696 ----a-w- k:\windows\system32\drivers\DefragFs.sys
2009-05-28 19:48 . 2009-03-30 00:36 -------- d-----w- k:\program files\K-Lite Codec Pack
2009-05-28 19:45 . 2009-05-28 19:45 -------- d-----w- k:\program files\Avira
2009-05-28 19:45 . 2009-05-28 19:45 -------- d-----w- k:\documents and settings\All Users\Application Data\Avira
2009-05-28 19:39 . 2006-09-19 00:15 -------- d-----w- k:\program files\CCleaner
2009-05-28 19:26 . 2006-02-19 02:28 -------- d-----w- k:\program files\ImgBurn
2009-05-17 01:22 . 2006-02-14 01:03 -------- d-----w- k:\program files\UltraISO
2009-05-13 05:15 . 2007-07-27 12:00 915456 ----a-w- k:\windows\system32\wininet.dll
2009-05-07 15:32 . 2007-07-27 12:00 345600 ----a-w- k:\windows\system32\localspl.dll
2009-04-17 12:26 . 2007-07-27 12:00 1847168 ----a-w- k:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-07-27 12:00 585216 ----a-w- k:\windows\system32\rpcrt4.dll
2009-04-13 23:55 . 2009-04-13 23:55 3584 ----a-r- k:\documents and settings\Matt\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-04-11 21:55 . 2009-01-25 05:22 256 ----a-w- k:\windows\system32\pool.bin
2009-04-11 21:09 . 2009-04-11 21:09 26694 ----a-r- k:\documents and settings\Matt\Application Data\Microsoft\Installer\{1A053A9F-2549-4544-908A-D46616D12E0B}\BlackBerry.exe
2009-04-11 20:16 . 2009-01-29 06:08 256 ----a-w- k:\documents and settings\Matt\pool.bin
2006-02-23 13:16 . 2008-04-29 03:16 34048 ----a-w- k:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 13:16 . 2008-04-29 03:16 45056 ----a-w- k:\program files\mozilla firefox\plugins\upd62int.dll
2006-02-23 13:16 . 2008-04-29 03:16 34048 ----a-w- k:\program files\opera\program\plugins\upd62i9x.dll
2006-02-23 13:16 . 2008-04-29 03:16 45056 ----a-w- k:\program files\opera\program\plugins\upd62int.dll
.

------- Sigcheck -------

[-] 2008-10-03 02:09 26112 789E140E949FFD240A21E11E3849CAD4 k:\windows\ServicePackFiles\i386\userinit.exe
[-] 2008-10-03 02:12 26112 789E140E949FFD240A21E11E3849CAD4 k:\windows\system32\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="k:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="k:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-12 133104]
"WMPNSCFG"="k:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"SUPERAntiSpyware"="k:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-26 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvaFind"="k:\program files\AvaFind\AvaFind.exe" [2004-06-01 295936]
"NvCplDaemon"="k:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"NvMediaCenter"="k:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="k:\program files\QuickTime\qttask.exe" [2008-10-03 385024]
"Windows Defender"="k:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"Zune Launcher"="o:\zune\ZuneLauncher.exe" [2008-12-12 157312]
"SoundMAXPnP"="k:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-05-29 790528]
"avgnt"="k:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"mediacodec.exe"="k:\windows\system32\mediacodec.exe" [2009-07-01 23552]

k:\documents and settings\Matt\Start Menu\Programs\Startup\
Wallpaper Master.lnk - k:\program files\Wallpaper Master\Wallpaper.exe [2006-8-5 531571]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "k:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-03-30 00:33 356352 ----a-w- k:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"k:\\WINDOWS\\system32\\sessmgr.exe"=
"l:\\Sid Meier's Civilization 4\\Civilization4.exe"=
"k:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\FEAR\\FEAR.exe"=
"d:\\FEAR\\FEARMP.exe"=
"d:\\FEAR\\FEARXP\\FEARXP.exe"=
"k:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"k:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=
"k:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 PzWDM;PzWDM;k:\windows\system32\drivers\PzWDM.sys [2/22/2006 10:26 PM 15172]
R1 SASDIFSV;SASDIFSV;k:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/4/2008 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/4/2008 2:50 PM 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;k:\program files\Avira\AntiVir Desktop\sched.exe [5/28/2009 2:45 PM 108289]
R3 SASENUM;SASENUM;k:\program files\SUPERAntiSpyware\SASENUM.SYS [12/4/2008 2:50 PM 7408]
S0 NVStrap;NVStrap;k:\windows\system32\drivers\NVStrap.sys [2/14/2006 10:24 PM 3712]
S1 SysTool;SysTool Overclocking Utility;k:\windows\system32\drivers\SysTool.sys [11/10/2006 8:08 AM 24064]
S2 WinDefend;Windows Defender;k:\program files\Windows Defender\MsMpEng.exe [11/3/2006 8:19 PM 13592]
S3 COMMONFX.SYS;COMMONFX.SYS;k:\windows\system32\drivers\COMMONFX.SYS --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;k:\windows\system32\drivers\COMMONFX.SYS --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CT20XUT.SYS;CT20XUT.SYS;k:\windows\system32\drivers\CT20XUT.SYS --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CT20XUT;CT20XUT;k:\windows\system32\drivers\CT20XUT.SYS --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;k:\windows\system32\drivers\CTAUDFX.SYS --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;k:\windows\system32\drivers\CTAUDFX.SYS --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;k:\windows\system32\drivers\CTEAPSFX.SYS --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEAPSFX;CTEAPSFX;k:\windows\system32\drivers\CTEAPSFX.SYS --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;k:\windows\system32\drivers\CTEDSPFX.SYS --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPFX;CTEDSPFX;k:\windows\system32\drivers\CTEDSPFX.SYS --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;k:\windows\system32\drivers\CTEDSPIO.SYS --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPIO;CTEDSPIO;k:\windows\system32\drivers\CTEDSPIO.SYS --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;k:\windows\system32\drivers\CTEDSPSY.SYS --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTEDSPSY;CTEDSPSY;k:\windows\system32\drivers\CTEDSPSY.SYS --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;k:\windows\system32\drivers\CTERFXFX.SYS --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;k:\windows\system32\drivers\CTERFXFX.SYS --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;k:\windows\system32\drivers\CTEXFIFX.SYS --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTEXFIFX;CTEXFIFX;k:\windows\system32\drivers\CTEXFIFX.SYS --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;k:\windows\system32\drivers\CTHWIUT.SYS --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;k:\windows\system32\drivers\CTHWIUT.SYS --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;k:\windows\system32\drivers\CTSBLFX.SYS --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;k:\windows\system32\drivers\CTSBLFX.SYS --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 kxwdmdrv;kX WDM Driver Service;k:\windows\system32\drivers\kx.sys --> k:\windows\system32\drivers\kx.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;k:\windows\system32\drivers\LtcyCfgWDM.sys [12/26/2005 12:24 AM 6656]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);k:\windows\system32\drivers\xbreader.sys [1/3/2001 12:53 AM 19677]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"k:\windows\system32\rundll32.exe" "k:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-09 k:\windows\Tasks\Clean System Memory.job
- k:\windows\system32\CleanMem.exe [2009-03-25 20:05]

2009-06-30 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1844823847-1801674531-1003Core.job
- k:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 03:04]

2009-07-09 k:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1275210071-1844823847-1801674531-1003UA.job
- k:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-12 03:04]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Regedit32 - k:\windows\system32\regedit.exe
HKLM-Run-13371564 - k:\documents and settings\All Users\Application Data\13371564\13371564.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - k:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - k:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\xtwy1oex.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.shacknews.com/
FF - plugin: k:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\xtwy1oex.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: k:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: k:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: k:\program files\Opera 10 Preview\program\plugins\npdsplay.dll
FF - plugin: k:\program files\Opera 10 Preview\program\plugins\npwmsdrm.dll
FF - plugin: k:\program files\Opera\program\plugins\npupd62.dll
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
k:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
k:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
k:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
k:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
k:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-08 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,62,3e,64,e4,ec,22,47,b1,73,82,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1e,62,3e,64,e4,ec,22,47,b1,73,82,\

[HKEY_USERS\S-1-5-21-1275210071-1844823847-1801674531-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:e2,7b,b8,db,f6,46,b2,b4,20,c7,4e,3b,00,61,56,07,a3,8f,ee,f4,64,d5,4a,
bc,77,56,15,28,4a,53,42,ee,b3,cd,53,37,a1,3f,f1,16,98,aa,27,be,9e,52,17,6b,\
"??"=hex:b4,16,af,d8,ee,aa,6b,78,d8,d4,7a,ea,e2,d3,69,99
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(676)
k:\program files\SUPERAntiSpyware\SASWINLO.DLL
k:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3808)
k:\windows\system32\WININET.dll
k:\windows\system32\ieframe.dll
k:\windows\system32\webcheck.dll
k:\windows\system32\WPDShServiceObj.dll
k:\windows\system32\PortableDeviceTypes.dll
k:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
k:\program files\Bonjour\mDNSResponder.exe
k:\windows\system32\rundll32.exe
k:\windows\system32\nvsvc32.exe
k:\program files\Raxco\PerfectDisk\PDAgent.exe
k:\program files\Analog Devices\SoundMAX\SMAgent.exe
k:\windows\system32\ZuneBusEnum.exe
k:\program files\Windows Media Player\wmpnetwk.exe
k:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-09 23:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-09 04:22

Pre-Run: 4,683,673,600 bytes free
Post-Run: 4,682,338,304 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=7 Sets=1,2,3,4,5,6,7
495 --- E O F --- 2009-06-12 03:28



dds




DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 23:24:33.43 on Wed 07/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1543 [GMT -5:00]


============== Running Processes ===============

K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
K:\Program Files\Bonjour\mDNSResponder.exe
K:\Program Files\AvaFind\AvaFind.exe
K:\WINDOWS\system32\RUNDLL32.EXE
O:\Zune\ZuneLauncher.exe
K:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
K:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
K:\WINDOWS\system32\mediacodec.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Windows Media Player\WMPNSCFG.exe
K:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
K:\WINDOWS\system32\nvsvc32.exe
K:\Program Files\Wallpaper Master\Wallpaper.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
K:\WINDOWS\system32\svchost.exe -k imgsvc
K:\WINDOWS\system32\ZuneBusEnum.exe
K:\WINDOWS\system32\wscntfy.exe
K:\WINDOWS\explorer.exe
K:\WINDOWS\system32\NOTEPAD.EXE
K:\Program Files\Internet Explorer\iexplore.exe
K:\Program Files\Internet Explorer\iexplore.exe
K:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uRun: [ctfmon.exe] k:\windows\system32\ctfmon.exe
uRun: [Google Update] "k:\documents and settings\matt\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] k:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AvaFind] "k:\program files\avafind\AvaFind.exe" /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "k:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "k:\program files\windows defender\MSASCui.exe" -hide
mRun: [Zune Launcher] "o:\zune\ZuneLauncher.exe"
mRun: [SoundMAXPnP] k:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [avgnt] "k:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [mediacodec.exe] k:\windows\system32\mediacodec.exe
StartupFolder: k:\docume~1\matt\startm~1\programs\startup\wallpa~1.lnk - k:\program files\wallpaper master\Wallpaper.exe
IE: E&xport to Microsoft Excel - k:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - k:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - k:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/programs/OnlineScanner.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1237664390359
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - k:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - k:\progra~1\window~3\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - k:\docume~1\matt\applic~1\mozilla\firefox\profiles\xtwy1oex.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.shacknews.com/
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
k:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
k:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
k:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;k:\windows\system32\drivers\PzWDM.sys [2006-2-22 15172]
R1 avgio;avgio;k:\program files\avira\antivir desktop\avgio.sys [2009-5-28 11608]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;k:\program files\avira\antivir desktop\sched.exe [2009-5-28 108289]
R2 avgntflt;avgntflt;k:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R3 SASENUM;SASENUM;k:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S0 NVStrap;NVStrap;k:\windows\system32\drivers\NVStrap.sys [2006-2-14 3712]
S1 SysTool;SysTool Overclocking Utility;k:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
S2 WinDefend;Windows Defender;k:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 COMMONFX.SYS;COMMONFX.SYS;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CT20XUT.SYS;CT20XUT.SYS;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CT20XUT;CT20XUT;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEAPSFX;CTEAPSFX;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPFX;CTEDSPFX;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPIO;CTEDSPIO;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTEDSPSY;CTEDSPSY;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTEXFIFX;CTEXFIFX;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 kxwdmdrv;kX WDM Driver Service;k:\windows\system32\drivers\kx.sys --> k:\windows\system32\drivers\kx.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;k:\windows\system32\drivers\LtcyCfgWDM.sys [2005-12-26 6656]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);k:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]
S4 AntiVirService;Avira AntiVir Guard;k:\program files\avira\antivir desktop\avguard.exe [2009-5-28 185089]

=============== Created Last 30 ================

2009-07-08 23:20 <DIR> -cd----- k:\windows\system32\dllcache\cache
2009-07-08 21:55 <DIR> a-dshr-- K:\cmdcons
2009-07-08 21:54 161,792 a------- k:\windows\SWREG.exe
2009-07-08 21:54 155,136 a------- k:\windows\PEV.exe
2009-07-08 21:54 98,816 a------- k:\windows\sed.exe
2009-06-30 20:40 142,592 a------- k:\windows\system32\drivers\aec.sys
2009-06-30 20:40 100,224 a------- k:\windows\system32\drivers\aeaudio.sys
2009-06-30 20:40 60,800 a------- k:\windows\system32\drivers\arp1394.sys
2009-06-30 20:20 <DIR> --d----- k:\docume~1\alluse~1\applic~1\18641404
2009-06-30 20:19 <DIR> --d----- k:\program files\%windir%
2009-06-30 20:19 23,552 a------- k:\windows\system32\mediacodec.exe
2009-06-30 00:30 <DIR> --d----- K:\spoon
2009-06-10 07:35 246,272 -c------ k:\windows\system32\dllcache\ieproxy.dll
2009-06-10 07:35 12,800 -c------ k:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-06-17 11:27 38,160 a------- k:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 11:27 19,096 a------- k:\windows\system32\drivers\mbam.sys
2009-06-08 12:07 232,200 a------- k:\windows\system32\PDBoot.exe
2009-06-08 10:00 71,696 a------- k:\windows\system32\drivers\DefragFs.sys
2009-05-13 00:15 915,456 a------- k:\windows\system32\wininet.dll
2009-05-07 10:32 345,600 a------- k:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- k:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- k:\windows\system32\rpcrt4.dll
2009-04-11 15:16 256 a------- k:\documents and settings\matt\pool.bin
2007-06-02 15:50 47,360 a------- k:\docume~1\matt\applic~1\pcouffin.sys

============= FINISH: 23:24:46.53 ===============

Attached Files



#7 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 09 July 2009 - 04:17 AM

Hi,

Let's run online scanner before trying anything else.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Read the requirements and privacy statement then click on the Accept button.
  • The program will launch and start to download the latest definition files.
  • You will be prompted to install an application from Kaspersky. Click Run
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • Click on Save Report As....
  • Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Save this report to a convenient place.
  • Copy and paste that information into your topic.
  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here

Edited by Blade81, 09 July 2009 - 04:18 AM.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#8 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 10 July 2009 - 12:31 PM

ok i have a large amount of storage space to scan. it was taking a very very long time. 18 hours in the malware took my computer back over. i tried running kaspersky in safe mode with a network connection but it dowsn't appear to to work.

do i run combofix again so i can get into windows again without having to use safe mode?

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 10 July 2009 - 02:57 PM

Hi,

Yes run ComboFix again (let it update if permission is asked).

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 10 July 2009 - 03:56 PM

combofix will not run when i boot straight into windows because "system security version 4.52" is blocking it. It won't start in safe mode either. Ideas?

#11 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 10 July 2009 - 04:16 PM

Have ComboFix file renamed to phatl.exe before placing it to infected system and try running it again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 16 July 2009 - 11:25 AM

Hi,

What's the status with this?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 16 July 2009 - 12:01 PM

got busy with life stuff. renaming the file worked and i was then able to run the online virus scan. everything is back to normal except that google is still forwarding me to other sites so there is still something that didn't get cleaned. thoughts on that?

#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:02:53 PM

Posted 16 July 2009 - 12:34 PM

Hi,

Please post following logs:
-c:\ComboFix.txt contents (don't run again but post the old one)
-a fresh dds.txt log
+ online scanner report if still available

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 phatl

phatl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 16 July 2009 - 01:48 PM

here is dds. i don't have combofix anymore.




DDS (Ver_09-06-26.01) - NTFSx86
Run by Matt at 13:35:14.09 on Thu 07/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1486 [GMT -5:00]

FW: Outpost Firewall *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}

============== Running Processes ===============

K:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
K:\WINDOWS\System32\svchost.exe -k netsvcs
K:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
K:\Program Files\AvaFind\AvaFind.exe
K:\WINDOWS\system32\RUNDLL32.EXE
O:\Zune\ZuneLauncher.exe
K:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
K:\Program Files\Avira\AntiVir Desktop\avgnt.exe
K:\Program Files\Java\jre6\bin\jusched.exe
K:\Program Files\Agnitum\Outpost Firewall\op_mon.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Windows Media Player\WMPNSCFG.exe
K:\Program Files\a-squared Free\a2service.exe
K:\PROGRA~1\Agnitum\OUTPOS~1\acs.exe
K:\Program Files\Bonjour\mDNSResponder.exe
K:\WINDOWS\System32\svchost.exe -k HTTPFilter
K:\Program Files\Java\jre6\bin\jqs.exe
K:\WINDOWS\system32\nvsvc32.exe
K:\Program Files\Raxco\PerfectDisk\PDAgent.exe
K:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
K:\WINDOWS\system32\svchost.exe -k imgsvc
K:\WINDOWS\system32\ZuneBusEnum.exe
K:\Program Files\Mozilla Firefox\firefox.exe
K:\WINDOWS\explorer.exe
K:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - k:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - k:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - k:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] k:\windows\system32\ctfmon.exe
uRun: [Google Update] "k:\documents and settings\matt\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] k:\program files\windows media player\WMPNSCFG.exe
uRun: [SUPERAntiSpyware] k:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AvaFind] "k:\program files\avafind\AvaFind.exe" /minimized
mRun: [NvCplDaemon] RUNDLL32.EXE k:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE k:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "k:\program files\quicktime\qttask.exe" -atboottime
mRun: [Windows Defender] "k:\program files\windows defender\MSASCui.exe" -hide
mRun: [Zune Launcher] "o:\zune\ZuneLauncher.exe"
mRun: [SoundMAXPnP] k:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [avgnt] "k:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "k:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [OutpostMonitor] k:\progra~1\agnitum\outpos~1\op_mon.exe /tray /noservice
mRun: [OutpostFeedBack] "k:\program files\agnitum\outpost firewall\feedback.exe" /dump:os_startup
StartupFolder: k:\docume~1\matt\startm~1\programs\startup\wallpa~1.lnk - k:\program files\wallpaper master\Wallpaper.exe
IE: E&xport to Microsoft Excel - k:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - k:\program files\java\jre6\bin\jp2iexp.dll
IE: {36ECAF82-3300-8F84-092E-AFF36D6C7040} - {86529161-034E-4F8A-88D2-3C625E612E04} - k:\program files\winhttrack\WinHTTrackIEBar.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/programs/OnlineScanner.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Notify: !SASWinLogon - k:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: k:\progra~1\agnitum\outpos~1\wl_hook.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - k:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - k:\progra~1\window~3\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - k:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Java Console: No Registry Reference - k:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
k:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
k:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
k:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
k:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
k:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
k:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
k:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
k:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PzWDM;PzWDM;k:\windows\system32\drivers\PzWDM.sys [2006-2-22 15172]
R1 avgio;avgio;k:\program files\avira\antivir desktop\avgio.sys [2009-5-28 11608]
R1 SandBox;SandBox;k:\windows\system32\drivers\SandBox.sys [2009-7-13 704384]
R1 SASDIFSV;SASDIFSV;k:\program files\superantispyware\SASDIFSV.SYS [2008-12-4 9968]
R1 SASKUTIL;SASKUTIL;k:\program files\superantispyware\SASKUTIL.SYS [2008-12-4 55024]
R2 a2free;a-squared Free Service;k:\program files\a-squared free\a2service.exe [2009-7-13 718880]
R2 acssrv;Agnitum Client Security Service;k:\progra~1\agnitum\outpos~1\acs.exe [2009-7-13 1195008]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;k:\program files\avira\antivir desktop\sched.exe [2009-5-28 108289]
R2 avgntflt;avgntflt;k:\windows\system32\drivers\avgntflt.sys [2009-5-28 55640]
R3 afw;Agnitum firewall driver;k:\windows\system32\drivers\afw.sys [2009-7-13 31128]
R3 afwcore;afwcore;k:\windows\system32\drivers\afwcore.sys [2009-7-13 257432]
R3 SASENUM;SASENUM;k:\program files\superantispyware\SASENUM.SYS [2008-12-4 7408]
S0 NVStrap;NVStrap;k:\windows\system32\drivers\NVStrap.sys [2006-2-14 3712]
S1 SysTool;SysTool Overclocking Utility;k:\windows\system32\drivers\SysTool.sys [2006-11-10 24064]
S2 WinDefend;Windows Defender;k:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 AntiVirService;Avira AntiVir Guard;k:\program files\avira\antivir desktop\avguard.exe [2009-5-28 185089]
S3 COMMONFX.SYS;COMMONFX.SYS;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 COMMONFX;COMMONFX;k:\windows\system32\drivers\commonfx.sys --> k:\windows\system32\drivers\COMMONFX.SYS [?]
S3 CT20XUT.SYS;CT20XUT.SYS;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CT20XUT;CT20XUT;k:\windows\system32\drivers\ct20xut.sys --> k:\windows\system32\drivers\CT20XUT.SYS [?]
S3 CTAUDFX.SYS;CTAUDFX.SYS;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTAUDFX;CTAUDFX;k:\windows\system32\drivers\ctaudfx.sys --> k:\windows\system32\drivers\CTAUDFX.SYS [?]
S3 CTEAPSFX.SYS;CTEAPSFX.SYS;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEAPSFX;CTEAPSFX;k:\windows\system32\drivers\cteapsfx.sys --> k:\windows\system32\drivers\CTEAPSFX.SYS [?]
S3 CTEDSPFX.SYS;CTEDSPFX.SYS;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPFX;CTEDSPFX;k:\windows\system32\drivers\ctedspfx.sys --> k:\windows\system32\drivers\CTEDSPFX.SYS [?]
S3 CTEDSPIO.SYS;CTEDSPIO.SYS;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPIO;CTEDSPIO;k:\windows\system32\drivers\ctedspio.sys --> k:\windows\system32\drivers\CTEDSPIO.SYS [?]
S3 CTEDSPSY.SYS;CTEDSPSY.SYS;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTEDSPSY;CTEDSPSY;k:\windows\system32\drivers\ctedspsy.sys --> k:\windows\system32\drivers\CTEDSPSY.SYS [?]
S3 CTERFXFX.SYS;CTERFXFX.SYS;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTERFXFX;CTERFXFX;k:\windows\system32\drivers\cterfxfx.sys --> k:\windows\system32\drivers\CTERFXFX.SYS [?]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTEXFIFX;CTEXFIFX;k:\windows\system32\drivers\ctexfifx.sys --> k:\windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT.SYS;CTHWIUT.SYS;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTHWIUT;CTHWIUT;k:\windows\system32\drivers\cthwiut.sys --> k:\windows\system32\drivers\CTHWIUT.SYS [?]
S3 CTSBLFX.SYS;CTSBLFX.SYS;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 CTSBLFX;CTSBLFX;k:\windows\system32\drivers\ctsblfx.sys --> k:\windows\system32\drivers\CTSBLFX.SYS [?]
S3 kxwdmdrv;kX WDM Driver Service;k:\windows\system32\drivers\kx.sys --> k:\windows\system32\drivers\kx.sys [?]
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;k:\windows\system32\drivers\LtcyCfgWDM.sys [2005-12-26 6656]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);k:\windows\system32\drivers\xbreader.sys [2001-1-3 19677]

=============== Created Last 30 ================

2009-07-13 07:45 <DIR> --d----- k:\program files\Agnitum
2009-07-13 07:44 <DIR> --d----- k:\docume~1\alluse~1\applic~1\Agnitum
2009-07-13 00:01 <DIR> --d----- k:\program files\a-squared Free
2009-07-10 08:24 <DIR> --d----- k:\docume~1\alluse~1\applic~1\12229374
2009-06-30 20:20 <DIR> --d----- k:\docume~1\alluse~1\applic~1\18641404

==================== Find3M ====================


============= FINISH: 13:37:21.42 ===============




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users