Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

UAC Rootkit and Trojans


  • This topic is locked This topic is locked
8 replies to this topic

#1 joethegiraffe

joethegiraffe

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 27 August 2009 - 05:32 PM

Hey there, this is my first post and i have arrived here because my friend recommended this as a very useful community for malware issues!

A brief history for you; my computer started acting up about 2 weeks ago, mainly it was shutting itself down with no warning or dialogue boxes when i was in the middle of games, surfing the web etc. This was reasonably annoying and i initially put it down to power supply/overheating issues, but this explanation was quickly ruled out as my core temp proved to be fine and i tried a different power unit.

I then ran Mbam, Spybot S&D, CCleaner and McAfee scans in safe mode to see what they could find. They found an awful lot and said that they had gotten rid of it all, so i went back to assuming that my computer was fine. I then noticed that the search function of my computer had entirely disappeared, as had the System Restore function. I thought this was a bit odd so i ran Mbam again and it came back with HKEY_LOCAL_MACHINE\SOFTWARE\UAC and uacinit.dll, 2 files it had told me it managed to get rid of. I tried right clicking and jumping to the location of either of them, but they were nowhere to be seen under the registry title that they come under.

At this point i decided that i am nowhere near capable of managing this on my own, so i seek your help xD

Here is a current pre-'remove selected' on Mbam:

Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3

8/27/2009 11:12:28 PM
mbam-log-2009-08-27 (23-12-23).txt

Scan type: Quick Scan
Objects scanned: 115146
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.




And a post-'remove selected':

Malwarebytes' Anti-Malware 1.40
Database version: 2707
Windows 5.1.2600 Service Pack 3

8/27/2009 11:12:31 PM
mbam-log-2009-08-27 (23-12-31).txt

Scan type: Quick Scan
Objects scanned: 115146
Time elapsed: 15 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.



As you can see it claims to have gotten rid of the UAC registry, but it never has D:


I attempted to install DDS, but my system doesn't seem to like the file and displays it as a Notepad file full of jargon when i try and view it. I don't know if running Hijack is an acceptable alternative, but i figured i might as well, so here's the log from that:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:42 PM, on 8/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - (no file)
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [SpybotDeletingA872] command.com /c del "C:\WINDOWS\system32\UAClirpiqllnm.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4267] cmd.exe /c del "C:\WINDOWS\system32\UAClirpiqllnm.log_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2571] command.com /c del "C:\WINDOWS\system32\UAClirpiqllnm.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6985] cmd.exe /c del "C:\WINDOWS\system32\UAClirpiqllnm.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9710] command.com /c del "C:\WINDOWS\system32\UACjtwereatli.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9227] cmd.exe /c del "C:\WINDOWS\system32\UACjtwereatli.dat_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4589] command.com /c del "C:\WINDOWS\system32\UACjtwereatli.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1853] cmd.exe /c del "C:\WINDOWS\system32\UACjtwereatli.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2179] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3851] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2023] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8400] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1292] command.com /c del "C:\WINDOWS\system32\UACmspkvoenml.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3405] cmd.exe /c del "C:\WINDOWS\system32\UACmspkvoenml.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4955] command.com /c del "C:\WINDOWS\system32\UACmuybiuruma.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9340] cmd.exe /c del "C:\WINDOWS\system32\UACmuybiuruma.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA636] command.com /c del "C:\WINDOWS\system32\UACwswtsfearh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6062] cmd.exe /c del "C:\WINDOWS\system32\UACwswtsfearh.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7305] command.com /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC754] cmd.exe /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA377] command.com /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2986] cmd.exe /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB8767] command.com /c del "C:\WINDOWS\system32\drivers\UACoqxwpduboe.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9084] cmd.exe /c del "C:\WINDOWS\system32\drivers\UACoqxwpduboe.sys"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5726] command.com /c del "C:\WINDOWS\system32\UAClirpiqllnm.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9992] cmd.exe /c del "C:\WINDOWS\system32\UAClirpiqllnm.log_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3570] command.com /c del "C:\WINDOWS\system32\UAClirpiqllnm.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7366] cmd.exe /c del "C:\WINDOWS\system32\UAClirpiqllnm.log"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1230] command.com /c del "C:\WINDOWS\system32\UACjtwereatli.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1284] cmd.exe /c del "C:\WINDOWS\system32\UACjtwereatli.dat_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2803] command.com /c del "C:\WINDOWS\system32\UACjtwereatli.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7700] cmd.exe /c del "C:\WINDOWS\system32\UACjtwereatli.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5535] command.com /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1506] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2890] command.com /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1073] cmd.exe /c del "C:\WINDOWS\system32\uacinit.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5559] command.com /c del "C:\WINDOWS\system32\UACmspkvoenml.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4631] cmd.exe /c del "C:\WINDOWS\system32\UACmspkvoenml.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1587] command.com /c del "C:\WINDOWS\system32\UACmuybiuruma.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9377] cmd.exe /c del "C:\WINDOWS\system32\UACmuybiuruma.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6429] command.com /c del "C:\WINDOWS\system32\UACwswtsfearh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7190] cmd.exe /c del "C:\WINDOWS\system32\UACwswtsfearh.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB569] command.com /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3193] cmd.exe /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB247] command.com /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2358] cmd.exe /c del "C:\WINDOWS\system32\UACyrenxvmdib.dll"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

--
End of file - 9966 bytes


I attempted to run Rootrepeal but on double clicking it gives the error 'Could not read the boot sector. Try adjusting the Disk Access Level in the Options dialogue. I tried this, but still get the error each time. I then tried to run it anyway, following the instructions given on your forum page, and it froze the whole machine, forcing me to restart.

Also i'm doing everything in safe mode just now.

Hopefully one of you guys can help me with this issue!

Thanks in advance,

Joe.

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:31 AM

Posted 27 August 2009 - 10:58 PM

Hi, Joe :thumbup2:

Welcome.

Please read and follow all these instructions very carefully.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" .
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**


Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 joethegiraffe

joethegiraffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 28 August 2009 - 05:37 AM

Hey JSntgRvr, cheers for the quick reply!

I've downloaded and ran ComboFix but i hit a few issues a long the way; firstly my downloads wouldn't work, trying to save the file in any normal way resulted in it saying that the download had been cancelled, and retryingshowed it as being downloaded but the file was nowhere to be seen. I got around this by using DownThemAll to download it, but this meant that i couldn't rename it until after it had been downloaded!

I disabled Mbam and Windows Security Centre and turned off the different scannings that McAfee usually does and ran ComboFix.
About 3 seconds in after the blue box had appeared i got an error saying that Pev.cfxxe had been forced to close and i would i like to send an error report, so i said no to the report and ComboFix got on with doing its thing. It detected about 8 UAC based rootkit files which it suggested that i note down and so i have, but i noticed they are under the deleted files in the log anyway.

The only other thing i didn't entirely understand was that after ComboFix had finished i got a Windows File Protection error saying that some files had been replaced with unrecognised ones and i needed the SP3 disk to replace the originals. I skipped past this, is this something that ComboFix does?

Anyway, here's a log for you, and thanks again!


ComboFix 09-08-27.A0 - A-The JoeG 08/28/2009 11:04.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.679 [GMT 1:00]
Running from: c:\documents and settings\A-The JoeG\Desktop\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\A-The JoeG\My Documents\ZbThumbnail.info
c:\documents and settings\All Users\HotFixUpdate.exe
c:\windows\Fonts\Dream Theater Logo.ttf
c:\windows\Installer\168bd3f.msi
c:\windows\Installer\5b7a07.msi
c:\windows\Installer\e1af0.msi
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\UACoqxwpduboe.sys
c:\windows\system32\Drivers\uvwisoumfchb.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjtwereatli.dat
c:\windows\system32\UAClirpiqllnm.log
c:\windows\system32\UACmspkvoenml.dll
c:\windows\system32\UACmuybiuruma.dll
c:\windows\system32\UACwswtsfearh.dll
c:\windows\system32\UACxvkyfuxdqp.db
c:\windows\system32\UACyrenxvmdib.dll
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
c:\recycler\S-1-5-21-1343024091-1417001333-839522115-1006 . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_NPF
-------\Legacy_OREANS32
-------\Service_NPF
-------\Service_oreans32
-------\Legacy_uvwisoumfchb
-------\Service_uvwisoumfchb


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-27 15:42 . 2009-08-27 15:42 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-27 15:42 . 2009-08-27 15:42 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\program files\Deep Silver
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\windows\system32\AGEIA
2009-08-27 09:11 . 2009-08-27 09:12 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-27 08:58 . 2008-04-13 17:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-08-27 08:58 . 2008-04-13 17:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\uTorrent
2009-08-25 10:51 . 2009-08-25 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-08-25 10:51 . 2009-08-25 10:51 -------- d-----w- c:\program files\FreeRIP3
2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\program files\ESET
2009-08-24 12:00 . 2009-08-24 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-24 11:35 . 2009-08-24 12:00 -------- d-----w- c:\program files\SpywareBlaster
2009-08-23 23:34 . 2009-08-23 23:34 -------- d-----w- c:\program files\Alex Feinman
2009-08-21 09:34 . 2009-08-21 09:35 -------- d-----w- C:\ea191c84c7fb67c5e95241
2009-08-21 03:15 . 2009-08-21 03:15 -------- d-sh--w- c:\documents and settings\A-The JoeG\IECompatCache
2009-08-20 18:05 . 2009-08-20 18:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-20 14:07 . 2009-08-20 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-20 11:23 . 2006-12-01 20:54 626688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll
2009-08-20 09:59 . 2009-08-27 21:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 18:31 . 2009-08-19 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SurfRight
2009-08-19 18:30 . 2009-08-19 18:30 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-18 15:03 . 2009-08-18 15:03 -------- d-----w- c:\program files\CCleaner
2009-08-18 14:33 . 2009-08-18 14:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-18 14:21 . 2009-08-18 14:21 -------- d-sh--w- c:\documents and settings\A-The JoeG\PrivacIE
2009-08-17 21:24 . 2009-08-17 21:24 -------- d-----w- c:\program files\iPod
2009-08-17 21:19 . 2009-08-17 21:19 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-10 15:58 . 2009-08-28 10:04 -------- d-----w- C:\QUARANTINE
2009-08-10 15:08 . 2006-12-19 14:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2009-08-10 15:08 . 2007-10-16 19:50 72680 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-10 15:08 . 2007-10-16 19:50 64168 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-08-10 15:08 . 2007-10-16 19:50 51944 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-08-10 15:08 . 2007-10-16 19:50 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-10 15:08 . 2007-10-16 19:50 171272 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-10 15:07 . 2009-08-10 15:16 -------- d-----w- c:\program files\McAfee
2009-08-10 15:07 . 2009-08-10 15:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-07 18:59 . 2009-08-07 18:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-07 18:58 . 2009-08-07 18:58 -------- d-sh--w- c:\documents and settings\A-The JoeG\IETldCache
2009-08-07 18:18 . 2009-08-07 18:18 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\FMZilla
2009-08-07 15:56 . 2009-08-07 15:57 -------- d-----w- c:\windows\ie8updates
2009-08-07 15:53 . 2009-08-28 03:10 -------- dc-h--w- c:\windows\ie8
2009-08-07 15:48 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-07 15:48 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-06 08:37 . 2009-08-28 10:17 -------- d-----w- c:\program files\Steam
2009-08-06 07:38 . 2009-08-19 08:03 -------- d-----w- c:\program files\Unlocker
2009-08-01 16:36 . 2009-08-22 00:58 -------- d-----w- c:\program files\PCFriendly
2009-07-30 11:43 . 2009-07-30 11:43 -------- d-----w- c:\program files\MSBuild
2009-07-30 11:41 . 2009-08-21 09:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-30 11:41 . 2009-07-30 11:41 -------- d-----w- c:\program files\Reference Assemblies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 00:31 . 2007-04-30 07:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-27 22:55 . 2009-01-25 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 22:29 . 2009-08-27 22:29 -------- d-----w- c:\program files\Trend Micro
2009-08-27 21:42 . 2009-07-24 15:49 152576 ----a-w- c:\documents and settings\A-The JoeG\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-08-27 21:09 . 2006-10-03 17:19 87672 -c--a-w- c:\documents and settings\A-The JoeG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 17:02 . 2009-07-27 12:31 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\vlc
2009-08-27 14:56 . 2008-12-16 16:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-27 08:58 . 2006-06-28 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-08-27 08:57 . 2005-10-13 07:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 08:47 . 2006-01-22 20:37 -------- d-----w- c:\program files\Autodesk
2009-08-25 11:36 . 2007-08-21 10:37 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\uTorrent
2009-08-22 02:34 . 2006-08-13 19:30 11430 ----a-w- c:\documents and settings\A-The JoeG\Application Data\wklnhst.dat
2009-08-20 16:12 . 2006-01-22 20:37 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-08-20 11:26 . 2009-08-20 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-20 11:24 . 2009-08-20 11:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-08-20 11:24 . 2009-08-20 11:24 -------- d-----w- c:\program files\Uniblue
2009-08-20 11:24 . 2009-08-20 11:24 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\Uniblue
2009-08-19 18:30 . 2009-01-24 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-08-17 21:24 . 2007-07-26 10:50 -------- d-----w- c:\program files\iTunes
2009-08-17 21:24 . 2007-07-26 10:50 -------- d-----w- c:\program files\Common Files\Apple
2009-08-10 15:08 . 2009-07-24 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:36 . 2009-01-25 16:26 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-01-25 16:26 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 10:31 . 2009-03-24 22:51 -------- d-----w- c:\program files\AoA Audio Extractor
2009-07-23 09:59 . 2009-07-23 09:59 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\LucasArts
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 18:41 . 2008-06-06 11:12 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 20:25 . 2006-10-24 16:32 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\Apple Computer
2009-06-29 16:12 . 2007-08-13 17:45 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 12:45 . 2006-01-12 20:28 724992 -c--a-w- c:\windows\iun6002.exe
2009-06-29 04:19 . 2009-08-20 11:24 2653070 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-10-13 07:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 10:42 . 2009-03-20 09:40 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2008-01-28 15:00 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-08-26 1217784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^Free Music Zilla.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^MagicDisc.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g Wireless Adatper.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x3watch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"ImapiService"=3 (0x3)
"gusvc"=3 (0x3)
"CryptSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"CVPND"=2 (0x2)
"CiscoVpnInstallService"=2 (0x2)
"CCALib8"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"rpcapd"=2 (0x2)
"UpdateCenterService"=2 (0x2)
"SQLSERVERAGENT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQLSERVER"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\masterous_gallagher\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\guild wars\\Gw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"c:\\Program Files\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"18763:TCP"= 18763:TCP:*:Disabled:BitComet 18763 TCP
"18763:UDP"= 18763:UDP:*:Disabled:BitComet 18763 UDP
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader 2

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/25/2009 5:26 PM 232720]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/25/2009 5:26 PM 19096]
S1 bkc7305;bkc7305;c:\windows\system32\drivers\bkc7305.sys --> c:\windows\system32\drivers\bkc7305.sys [?]
S1 bmi071b;bmi071b;c:\windows\system32\drivers\bmi071b.sys --> c:\windows\system32\drivers\bmi071b.sys [?]
S1 bmifd6e;bmifd6e;c:\windows\system32\drivers\bmifd6e.sys --> c:\windows\system32\drivers\bmifd6e.sys [?]
S1 brn837b;brn837b;c:\windows\system32\drivers\brn837b.sys --> c:\windows\system32\drivers\brn837b.sys [?]
S1 cmj9dd5;cmj9dd5;c:\windows\system32\drivers\cmj9dd5.sys --> c:\windows\system32\drivers\cmj9dd5.sys [?]
S1 csj18d8;csj18d8;c:\windows\system32\drivers\csj18d8.sys --> c:\windows\system32\drivers\csj18d8.sys [?]
S1 ctredr15.sys;ctredr15.sys;\??\c:\windows\system32\drivers\ctredr15.sys --> c:\windows\system32\drivers\ctredr15.sys [?]
S1 daq5642;daq5642;c:\windows\system32\drivers\daq5642.sys --> c:\windows\system32\drivers\daq5642.sys [?]
S1 dole3f4;dole3f4;c:\windows\system32\drivers\dole3f4.sys --> c:\windows\system32\drivers\dole3f4.sys [?]
S1 hdoc63e;hdoc63e;c:\windows\system32\drivers\hdoc63e.sys --> c:\windows\system32\drivers\hdoc63e.sys [?]
S1 hggaaf3;hggaaf3;c:\windows\system32\drivers\hggaaf3.sys --> c:\windows\system32\drivers\hggaaf3.sys [?]
S1 ieae3c7;ieae3c7;c:\windows\system32\drivers\ieae3c7.sys --> c:\windows\system32\drivers\ieae3c7.sys [?]
S1 jfq1f2a;jfq1f2a;c:\windows\system32\drivers\jfq1f2a.sys --> c:\windows\system32\drivers\jfq1f2a.sys [?]
S1 jri28b3;jri28b3;c:\windows\system32\drivers\jri28b3.sys --> c:\windows\system32\drivers\jri28b3.sys [?]
S1 jrn6ee6;jrn6ee6;c:\windows\system32\drivers\jrn6ee6.sys --> c:\windows\system32\drivers\jrn6ee6.sys [?]
S1 kgcd8ac;kgcd8ac;c:\windows\system32\drivers\kgcd8ac.sys --> c:\windows\system32\drivers\kgcd8ac.sys [?]
S1 kgr1480;kgr1480;c:\windows\system32\drivers\kgr1480.sys --> c:\windows\system32\drivers\kgr1480.sys [?]
S1 lbra0c1;lbra0c1;c:\windows\system32\drivers\lbra0c1.sys --> c:\windows\system32\drivers\lbra0c1.sys [?]
S1 lhda88d;lhda88d;c:\windows\system32\drivers\lhda88d.sys --> c:\windows\system32\drivers\lhda88d.sys [?]
S1 mokc8b3;mokc8b3;c:\windows\system32\drivers\mokc8b3.sys --> c:\windows\system32\drivers\mokc8b3.sys [?]
S1 nea0fe7;nea0fe7;c:\windows\system32\drivers\nea0fe7.sys --> c:\windows\system32\drivers\nea0fe7.sys [?]
S1 nea7285;nea7285;c:\windows\system32\drivers\nea7285.sys --> c:\windows\system32\drivers\nea7285.sys [?]
S1 njf5d53;njf5d53;c:\windows\system32\drivers\njf5d53.sys --> c:\windows\system32\drivers\njf5d53.sys [?]
S1 nnm8abe;nnm8abe;c:\windows\system32\drivers\nnm8abe.sys --> c:\windows\system32\drivers\nnm8abe.sys [?]
S1 ofba629;ofba629;c:\windows\system32\drivers\ofba629.sys --> c:\windows\system32\drivers\ofba629.sys [?]
S1 psoa7ef;psoa7ef;c:\windows\system32\drivers\psoa7ef.sys --> c:\windows\system32\drivers\psoa7ef.sys [?]
S1 qhd031e;qhd031e;c:\windows\system32\drivers\qhd031e.sys --> c:\windows\system32\drivers\qhd031e.sys [?]
S1 qmd0951;qmd0951;c:\windows\system32\drivers\qmd0951.sys --> c:\windows\system32\drivers\qmd0951.sys [?]
S1 rnjab4f;rnjab4f;c:\windows\system32\drivers\rnjab4f.sys --> c:\windows\system32\drivers\rnjab4f.sys [?]
S2 gohn;gohn;c:\windows\system32\drivers\pgxogted.sys --> c:\windows\system32\drivers\pgxogted.sys [?]
S2 vgxe;vgxe;c:\windows\system32\drivers\kcpccbh.sys --> c:\windows\system32\drivers\kcpccbh.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [6/9/2008 8:40 PM 16512]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 JL2005;JL2005A Camera;c:\windows\system32\Drivers\toywdm.sys --> c:\windows\system32\Drivers\toywdm.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/5/2008 3:11 AM 7680]
S3 pfsvgae;pfsvgae;\??\c:\docume~1\A-THEJ~1\LOCALS~1\Temp\pfsvgae.sys --> c:\docume~1\A-THEJ~1\LOCALS~1\Temp\pfsvgae.sys [?]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S3 WN6201;Wireless Network Adapter Service;c:\windows\system32\drivers\WN6201.sys [8/17/2008 9:59 PM 457472]
S4 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;d:\instal~6.exe --> d:\INSTAL~6.EXE [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\A-The JoeG\Application Data\Mozilla\Firefox\Profiles\boymctrj.default\
FF - prefs.js: browser.startup.homepage - hxxp://questionablecontent.net/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 11:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ovfsthhddcxxnaylkaiddioyxvpsnlglyudxmb]
"imagepath"="\systemroot\system32\drivers\ovfsthgrmmevthitaiehtyxewixhnlljjfjwgc.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\ahead\InCD]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1343024091-1417001333-839522115-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:29,14,26,cc,37,34,3e,f7,bf,d2,44,02,29,f0,24,f8,77,d3,6c,60,6e,04,3a,
b1,ec,4d,38,5f,68,7e,c6,40,53,7e,2a,d2,65,38,2c,39,c6,64,9c,16,df,b6,48,c0,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1343024091-1417001333-839522115-1008\Software\SecuROM\License information*]
"datasecu"=hex:8d,1b,9b,fd,9c,13,dc,c3,44,43,6a,6c,fe,37,b3,1b,fa,ae,c3,86,ae,
92,a8,38,23,0a,4d,db,38,1b,17,e1,da,e9,e5,b7,36,39,f6,a3,c5,fd,28,1b,1b,73,\
"rkeysecu"=hex:7e,21,67,f8,4e,a1,59,0a,9a,74,f5,31,74,38,f7,86

[HKEY_LOCAL_MACHINE\software\CDDB\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\A3dApi\CLSID]
@Class="REG_SZ"
@DACL=(02 0000)
@="{92FA2C24-253C-11d2-90FB-006008A1F441}"

[HKEY_LOCAL_MACHINE\software\Classes\A3dDAL\CLSID]
@Class="REG_SZ"
@DACL=(02 0000)
@="{442D12A1-2641-11d2-90FB-006008A1F441}"

[HKEY_LOCAL_MACHINE\software\Classes\Applications\CTCMS.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\GENBOX.EXE\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\googleearth.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MaxPayne.exe\shell]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MSACCESS.EXE\shell]
@DACL=(02 0000)
@="Open"

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MsgPlus.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\prowin32.exe\shell]
@DACL=(02 0000)
@="Open_in_the_Procedure_Editor"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGAlbum.TCIG_AlbumTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\TypeLib]
@DACL=(02 0000)
@="{4C5EC02F-68D3-450d-BD5F-50087ED0E63F}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGAlbum.TCIG_AlbumTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Insertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\ProgID]
@DACL=(02 0000)
@="WT.WTMultiplayer.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\TypeLib]
@DACL=(02 0000)
@="{b162d478-ef46-4475-b1fe-216bdedb7fad}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\VersionIndependentProgID]
@DACL=(02 0000)
@="WT.WTMultiplayer"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGRegist.TCIG_RegistTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\TypeLib]
@DACL=(02 0000)
@="{48DA20D5-6AF9-4899-96CD-B14EDC428406}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGRegist.TCIG_RegistTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\ProgID]
@DACL=(02 0000)
@="ZbTaskMovieExportDES.TME_MovieExport.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\TypeLib]
@DACL=(02 0000)
@="{AB37A450-A651-467A-98D4-6383FB5D2C3A}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskMovieExportDES.TME_MovieExport"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1440AD10-6AA8-11D1-B6F9-00A024DDAFD1}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1440AD10-6AA8-11D1-B6F9-00A024DDAFD1}\NotInsertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\ProgID]
@DACL=(02 0000)
@="ZbTaskMovieDesk.TMD_MovieDeskTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\TypeLib]
@DACL=(02 0000)
@="{44007D26-9B94-4E42-848A-CE75CD473131}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskMovieDesk.TMD_MovieDeskTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGTopPage.TCIG_TopPageTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\TypeLib]
@DACL=(02 0000)
@="{38CAD846-C6B1-4c42-9DD5-62041A83AD32}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGTopPage.TCIG_TopPageTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\ProgID]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandComm.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\TypeLib]
@DACL=(02 0000)
@="{3937476C-846F-459C-BD47-75EC6B0834E4}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\VersionIndependentProgID]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandComm"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\ProgID]
@DACL=(02 0000)
@="ZbTask_MovieToStill.TMD_MovieToStill.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\TypeLib]
@DACL=(02 0000)
@="{07DFBCF0-D2A9-44EC-96C6-04926FD05B27}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTask_MovieToStill.TMD_MovieToStill"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\ProgID]
@DACL=(02 0000)
@="Zb.ZbCmdRegisterForCIG.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\TypeLib]
@DACL=(02 0000)
@="{A8DB5CA8-6548-485b-883F-9514688D86BC}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\VersionIndependentProgID]
@DACL=(02 0000)
@="Zb.ZbCmdRegisterForCIG"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGUpload.TCIG_UploadTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\TypeLib]
@DACL=(02 0000)
@="{AA25A16A-3660-4e12-96F0-A614AF47F42B}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGUpload.TCIG_UploadTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\ProgID]
@DACL=(02 0000)
@="WTVis.WTVisReceiver.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\TypeLib]
@DACL=(02 0000)
@="{93795291-63D3-489c-B30E-5564CF578ABC}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\VersionIndependentProgID]
@DACL=(02 0000)
@="WTVis.WTVisReceiver"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698F}\ProgID]
@DACL=(02 0000)
@="avgtoolbar.AVGTOOLBARToggle Button"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E26990}\ProgID]
@DACL=(02 0000)
@="avgtoolbar.AVGTOOLBARMenu Button"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\ProgID]
@DACL=(02 0000)
@="WDMHHost.WTHoster.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\TypeLib]
@DACL=(02 0000)
@="{B7E20302-C22C-4AF2-9D75-C3EB6EEE9DD8}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Version]
@DACL=(02 0000)
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\VersionIndependentProgID]
@DACL=(02 0000)
@="WDMHHost.WTHoster"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\NotInsertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\ProgID]
@DACL=(02 0000)
@="WW.TiberianSun.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\Typelib]
@DACL=(02 0000)
@="{B45A4A80-86DA-11D1-B706-00A024DDAFD1}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\VersionIndependentProgID]
@DACL=(02 0000)
@="WW.TiberianSun"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\ProgID]
@DACL=(02 0000)
@="WTVis.WTVisSender.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\TypeLib]
@DACL=(02 0000)
@="{B89CF276-BABD-4c52-8303-A44A335C6F84}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\VersionIndependentProgID]
@DACL=(02 0000)
@="WTVis.WTVisSender"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGMyCamera.TCIG_DownloadTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\TypeLib]
@DACL=(02 0000)
@="{EACBC084-B41D-4782-8F4E-25D6A295AD30}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGMyCamera.TCIG_DownloadTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\ProgID]
@DACL=(02 0000)
@="EpsonToolBand.ToolBandObj.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\TypeLib]
@DACL=(02 0000)
@="{3937476C-846F-459C-BD47-75EC6B0834E4}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\VersionIndependentProgID]
@DACL=(02 0000)
@="EpsonToolBand.ToolBandObj"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7587D-871C-4944-9CEE-FDF6F70AAB60}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7587D-871C-4944-9CEE-FDF6F70AAB60}\ProgID]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Insertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\ProgID]
@DACL=(02 0000)
@="WT3D.WT.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\TypeLib]
@DACL=(02 0000)
@="{FA13AA2E-CA9B-11D2-9780-00104B242EA3}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Version]
@DACL=(02 0000)
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\VersionIndependentProgID]
@DACL=(02 0000)
@="WT3D.WT"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker\CLSID]
@DACL=(02 0000)
@="{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker\CurVer]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandKicker.1"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker.1\CLSID]
@DACL=(02 0000)
@="{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\TypeLib]
@DACL=(02 0000)
@="{4A165BD0-165F-474F-AF66-40CD5AC4613E}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter\CLSID]
@DACL=(02 0000)
@="{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter\CurVer]
@DACL=(02 0000)
@="LinkScannerIE.NavFilter.1"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter.1\CLSID]
@DACL=(02 0000)
@="{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3937476C-846F-459C-BD47-75EC6B0834E4}\1.0]
@DACL=(02 0000)
@="EpsonToolBand 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}\1.0]
@DACL=(02 0000)
@="IESiteBlocker 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{B162D478-EF46-4475-B1FE-216BDEDB7FAD}\1.0]
@DACL=(02 0000)
@="WildTangent Multiplayer 2.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{B7E20302-C22C-4AF2-9D75-C3EB6EEE9DD8}\1.0]
@DACL=(02 0000)
@="WDMHHost 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{FA13AA2E-CA9B-11D2-9780-00104B242EA3}\1.0]
@DACL=(02 0000)
@="WebDriver 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\EPSON\EPSON Web-To-Page\1.0.0.0]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\RNIModuleFlags]
@DACL=(02 0000)
"mtxjava.dll"=hex:01,00,00,00
"jdbcdemo.dll"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\Security]
@DACL=(02 0000)
"EditCustomPermissions"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\System Properties]
@DACL=(02 0000)
"com.ms.applet.enable.serversockets"="false"

[HKEY_LOCAL_MACHINE\software\WildTangent\ActiveLauncher]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\ControlPanel]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\Dependents]
@DACL=(02 0000)
"CDA 5.1"="Persistent CDA 5.1"

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\GameData]
@DACL=(02 0000)
"MaxFileSize"=dword:00a00000
"MinDiskSpace"=dword:00019000

[HKEY_LOCAL_MACHINE\software\WildTangent\ComponentRepository]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\DDC]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\Eula]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\GameChannel]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\WebDriverPackages]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\ovfsthhddcxxnaylkaiddioyxvpsnlglyudxmb]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthgrmmevthitaiehtyxewixhnlljjfjwgc.sys"
"inst"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3804)
c:\windows\system32\WININET.dll
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
.
**************************************************************************
.
Completion time: 2009-08-28 11:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-28 10:24

Pre-Run: 92,334,452,736 bytes free
Post-Run: 93,005,864,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
734 --- E O F --- 2009-08-26 23:45



Edit: Also, a quick Mbam scan now has brought up nothing (:

Edited by joethegiraffe, 28 August 2009 - 06:20 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:31 AM

Posted 28 August 2009 - 10:47 AM

Hi, joe :thumbup2:

The only other thing i didn't entirely understand was that after ComboFix had finished i got a Windows File Protection error saying that some files had been replaced with unrecognised ones and i needed the SP3 disk to replace the originals. I skipped past this, is this something that ComboFix does?


Lets continue with the cleaning. As far as I see, Combofix did not remove a system file.

Open a command prompt. (Start->Run, type CMD and click OK)

At the prompt copy and paste the following and press Enter:

SWREG ACL "HKLM\System\ControlSet009\Services\ovfsthhddcxxnaylkaiddioyxvpsnlglyudxmb" /RE-SET /Q
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::c:\docume~1\A-THEJ~1\LOCALS~1\Temp\pfsvgae.sysc:\windows\system32\drivers\bkc7305.sysc:\windows\system32\drivers\bmi071b.sysc:\windows\system32\drivers\bmifd6e.sysc:\windows\system32\drivers\brn837b.sysc:\windows\system32\drivers\cmj9dd5.sysc:\windows\system32\drivers\csj18d8.sysc:\windows\system32\drivers\ctredr15.sysc:\windows\system32\drivers\daq5642.sysc:\windows\system32\drivers\dole3f4.sysc:\windows\system32\drivers\hdoc63e.sysc:\windows\system32\drivers\hggaaf3.sysc:\windows\system32\drivers\ieae3c7.sysc:\windows\system32\drivers\jfq1f2a.sysc:\windows\system32\drivers\jri28b3.sysc:\windows\system32\drivers\jrn6ee6.sysc:\windows\system32\drivers\kgcd8ac.sysc:\windows\system32\drivers\kgr1480.sysc:\windows\system32\drivers\lbra0c1.sysc:\windows\system32\drivers\lhda88d.sysc:\windows\system32\drivers\mokc8b3.sysc:\windows\system32\drivers\nea0fe7.sysc:\windows\system32\drivers\nea7285.sysc:\windows\system32\drivers\njf5d53.sysc:\windows\system32\drivers\nnm8abe.sysc:\windows\system32\drivers\ofba629.sysc:\windows\system32\drivers\psoa7ef.sysc:\windows\system32\drivers\qhd031e.sysc:\windows\system32\drivers\qmd0951.sysc:\windows\system32\drivers\rnjab4f.sysc:\windows\system32\drivers\pgxogted.sysc:\windows\system32\drivers\kcpccbh.sysc:\windows\system32\drivers\ovfsthgrmmevthitaiehtyxewixhnlljjfjwgc.sysDriver::ovfsthhddcxxnaylkaiddioyxvpsnlglyudxmbpfsvgaebkc7305bmi071bbmifd6ebrn837bcmj9dd5csj18d8ctredr15.sysdaq5642dole3f4hdoc63ehggaaf3ieae3c7jfq1f2ajri28b3jrn6ee6kgcd8ackgr1480lbra0c1lhda88dmokc8b3nea0fe7nea7285njf5d53nnm8abeofba629psoa7efqhd031eqmd0951rnjab4fgohnvgxe

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Attention! Kaspersky Online Scanner 7.0 may fail to start if another anti-virus program is already installed and running on your computer. Please deactivate the anti-virus software installed on your computer prior to starting Kaspersky Online Scanner 7.0.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586.exe and select "Run as an Administrator.")

Edited by JSntgRvr, 28 August 2009 - 10:53 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 joethegiraffe

joethegiraffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 28 August 2009 - 04:12 PM

Awesome, everything seems to be running pretty much fine now, though i am getting occasional crashes on startup when everything seems to stop, and when i open the task manager everything stops responding apart from the mouse =S

Anyway, here is the log with the CFScript:

ComboFix 09-08-28.01 - A-The JoeG 08/28/2009 21:55.3.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.778 [GMT 1:00]
Running from: c:\documents and settings\A-The JoeG\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\A-The JoeG\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
FW: COMODO Firewall Pro *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\docume~1\A-THEJ~1\LOCALS~1\Temp\pfsvgae.sys"
"c:\windows\system32\drivers\bkc7305.sys"
"c:\windows\system32\drivers\bmi071b.sys"
"c:\windows\system32\drivers\bmifd6e.sys"
"c:\windows\system32\drivers\brn837b.sys"
"c:\windows\system32\drivers\cmj9dd5.sys"
"c:\windows\system32\drivers\csj18d8.sys"
"c:\windows\system32\drivers\ctredr15.sys"
"c:\windows\system32\drivers\daq5642.sys"
"c:\windows\system32\drivers\dole3f4.sys"
"c:\windows\system32\drivers\hdoc63e.sys"
"c:\windows\system32\drivers\hggaaf3.sys"
"c:\windows\system32\drivers\ieae3c7.sys"
"c:\windows\system32\drivers\jfq1f2a.sys"
"c:\windows\system32\drivers\jri28b3.sys"
"c:\windows\system32\drivers\jrn6ee6.sys"
"c:\windows\system32\drivers\kcpccbh.sys"
"c:\windows\system32\drivers\kgcd8ac.sys"
"c:\windows\system32\drivers\kgr1480.sys"
"c:\windows\system32\drivers\lbra0c1.sys"
"c:\windows\system32\drivers\lhda88d.sys"
"c:\windows\system32\drivers\mokc8b3.sys"
"c:\windows\system32\drivers\nea0fe7.sys"
"c:\windows\system32\drivers\nea7285.sys"
"c:\windows\system32\drivers\njf5d53.sys"
"c:\windows\system32\drivers\nnm8abe.sys"
"c:\windows\system32\drivers\ofba629.sys"
"c:\windows\system32\drivers\ovfsthgrmmevthitaiehtyxewixhnlljjfjwgc.sys"
"c:\windows\system32\drivers\pgxogted.sys"
"c:\windows\system32\drivers\psoa7ef.sys"
"c:\windows\system32\drivers\qhd031e.sys"
"c:\windows\system32\drivers\qmd0951.sys"
"c:\windows\system32\drivers\rnjab4f.sys"
.

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 18:00 . 2009-08-28 18:00 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-28 17:42 . 2009-08-28 17:42 152576 ----a-w- c:\documents and settings\A-The JoeG\Application Data\Sun\Java\jre1.6.0_16\lzma.dll
2009-08-28 17:06 . 2009-08-28 17:19 -------- d-----w- c:\program files\MSECACHE
2009-08-27 22:45 . 2009-08-27 22:52 -------- d-----w- c:\documents and settings\A-The JoeG\Pavark
2009-08-27 22:29 . 2009-08-27 22:29 -------- d-----w- c:\program files\Trend Micro
2009-08-27 15:42 . 2009-08-27 15:42 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-27 15:42 . 2009-08-27 15:42 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\program files\Deep Silver
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\program files\AGEIA Technologies
2009-08-27 14:57 . 2009-08-27 14:57 -------- d-----w- c:\windows\system32\AGEIA
2009-08-27 09:11 . 2009-08-27 09:12 3942047 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-27 08:58 . 2008-04-13 17:45 26112 -c--a-w- c:\windows\system32\dllcache\usbser.sys
2009-08-27 08:58 . 2008-04-13 17:45 26112 ----a-w- c:\windows\system32\drivers\usbser.sys
2009-08-25 11:20 . 2009-08-25 11:20 -------- d-----w- c:\program files\uTorrent
2009-08-25 10:51 . 2009-08-25 10:51 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-08-25 10:51 . 2009-08-25 10:51 -------- d-----w- c:\program files\FreeRIP3
2009-08-24 23:53 . 2009-08-24 23:53 -------- d-----w- c:\program files\ESET
2009-08-24 12:00 . 2009-08-24 14:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-24 11:35 . 2009-08-24 12:00 -------- d-----w- c:\program files\SpywareBlaster
2009-08-23 23:34 . 2009-08-23 23:34 -------- d-----w- c:\program files\Alex Feinman
2009-08-21 09:34 . 2009-08-21 09:35 -------- d-----w- C:\ea191c84c7fb67c5e95241
2009-08-21 03:15 . 2009-08-21 03:15 -------- d-sh--w- c:\documents and settings\A-The JoeG\IECompatCache
2009-08-20 18:05 . 2009-08-20 18:05 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-20 14:07 . 2009-08-20 14:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-08-20 13:43 . 2009-08-20 13:43 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-08-20 11:23 . 2006-12-01 20:54 626688 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\Windows\winsxs\b2rg91xw.1p4\msvcr80.dll
2009-08-20 09:59 . 2009-08-28 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-19 18:31 . 2009-08-19 18:31 -------- d-----w- c:\documents and settings\All Users\Application Data\SurfRight
2009-08-19 18:30 . 2009-08-19 18:30 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-18 15:03 . 2009-08-18 15:03 -------- d-----w- c:\program files\CCleaner
2009-08-18 14:33 . 2009-08-18 14:33 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-18 14:21 . 2009-08-18 14:21 -------- d-sh--w- c:\documents and settings\A-The JoeG\PrivacIE
2009-08-17 21:24 . 2009-08-17 21:24 -------- d-----w- c:\program files\iPod
2009-08-17 21:19 . 2009-08-17 21:19 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe
2009-08-10 15:58 . 2009-08-28 10:17 -------- d-----w- C:\QUARANTINE
2009-08-10 15:08 . 2006-12-19 14:06 1495552 ----a-w- c:\windows\system32\epoPGPsdk.dll
2009-08-10 15:08 . 2007-10-16 19:50 72680 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-08-10 15:08 . 2007-10-16 19:50 64168 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2009-08-10 15:08 . 2007-10-16 19:50 51944 ----a-w- c:\windows\system32\drivers\mfetdik.sys
2009-08-10 15:08 . 2007-10-16 19:50 33960 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-08-10 15:08 . 2007-10-16 19:50 171272 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-08-10 15:07 . 2009-08-10 15:16 -------- d-----w- c:\program files\McAfee
2009-08-10 15:07 . 2009-08-10 15:07 -------- d-----w- c:\program files\Common Files\McAfee
2009-08-07 18:59 . 2009-08-07 18:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-08-07 18:58 . 2009-08-07 18:58 -------- d-sh--w- c:\documents and settings\A-The JoeG\IETldCache
2009-08-07 18:18 . 2009-08-07 18:18 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\FMZilla
2009-08-07 15:56 . 2009-08-07 15:57 -------- d-----w- c:\windows\ie8updates
2009-08-07 15:53 . 2009-08-28 03:10 -------- dc-h--w- c:\windows\ie8
2009-08-07 15:48 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-08-07 15:48 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-06 08:37 . 2009-08-28 20:47 -------- d-----w- c:\program files\Steam
2009-08-06 07:38 . 2009-08-19 08:03 -------- d-----w- c:\program files\Unlocker
2009-08-01 16:36 . 2009-08-22 00:58 -------- d-----w- c:\program files\PCFriendly
2009-07-30 11:43 . 2009-07-30 11:43 -------- d-----w- c:\program files\MSBuild
2009-07-30 11:41 . 2009-08-21 09:35 -------- d-----w- c:\windows\system32\XPSViewer
2009-07-30 11:41 . 2009-07-30 11:41 -------- d-----w- c:\program files\Reference Assemblies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 18:42 . 2009-07-27 12:31 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\vlc
2009-08-28 00:31 . 2007-04-30 07:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-27 22:55 . 2009-01-25 16:26 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-27 21:42 . 2009-07-24 15:49 152576 ----a-w- c:\documents and settings\A-The JoeG\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-08-27 21:09 . 2006-10-03 17:19 87672 -c--a-w- c:\documents and settings\A-The JoeG\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-27 14:56 . 2008-12-16 16:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-27 08:58 . 2006-06-28 10:11 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-08-27 08:57 . 2005-10-13 07:42 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-27 08:47 . 2006-01-22 20:37 -------- d-----w- c:\program files\Autodesk
2009-08-25 11:36 . 2007-08-21 10:37 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\uTorrent
2009-08-22 02:34 . 2006-08-13 19:30 11430 ----a-w- c:\documents and settings\A-The JoeG\Application Data\wklnhst.dat
2009-08-20 16:12 . 2006-01-22 20:37 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-08-20 11:26 . 2009-08-20 11:24 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-20 11:24 . 2009-08-20 11:23 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}
2009-08-20 11:24 . 2009-08-20 11:24 -------- d-----w- c:\program files\Uniblue
2009-08-20 11:24 . 2009-08-20 11:24 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\Uniblue
2009-08-19 18:30 . 2009-01-24 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2009-08-17 21:24 . 2007-07-26 10:50 -------- d-----w- c:\program files\iTunes
2009-08-17 21:24 . 2007-07-26 10:50 -------- d-----w- c:\program files\Common Files\Apple
2009-08-10 15:08 . 2009-07-24 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 12:36 . 2009-01-25 16:26 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 12:36 . 2009-01-25 16:26 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-28 10:31 . 2009-03-24 22:51 -------- d-----w- c:\program files\AoA Audio Extractor
2009-07-23 09:59 . 2009-07-23 09:59 -------- d-----w- c:\documents and settings\A-The JoeG\Application Data\LucasArts
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-15 18:41 . 2008-06-06 11:12 -------- d-----w- c:\program files\Messenger Plus! Live
2009-07-13 22:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2004-08-04 12:00 915456 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2007-08-13 17:45 78336 ------w- c:\windows\system32\ieencode.dll
2009-06-29 12:45 . 2006-01-12 20:28 724992 -c--a-w- c:\windows\iun6002.exe
2009-06-29 04:19 . 2009-08-20 11:24 2653070 -c--a-w- c:\documents and settings\All Users\Application Data\{66E2F539-12B6-4870-A500-7689CDE75C5E}\DriverScanner_Setup.exe
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2004-08-04 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-04 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2004-08-04 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2005-10-13 07:27 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2004-08-04 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 10:42 . 2009-03-20 09:40 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-05 10:42 . 2008-01-28 15:00 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-08-26 1217784]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-08-03 419088]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-12-22 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^Free Music Zilla.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^MagicDisc.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^A-The JoeG^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^802.11g Wireless Adatper.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"InCDsrvR"=2 (0x2)
"InCDsrv"=2 (0x2)
"ImapiService"=3 (0x3)
"gusvc"=3 (0x3)
"CryptSvc"=3 (0x3)
"Creative Service for CDROM Access"=2 (0x2)
"C-DillaCdaC11BA"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"ServiceLayer"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"IDriverT"=3 (0x3)
"CVPND"=2 (0x2)
"CiscoVpnInstallService"=2 (0x2)
"CCALib8"=2 (0x2)
"Autodesk Licensing Service"=3 (0x3)
"rpcapd"=2 (0x2)
"UpdateCenterService"=2 (0x2)
"SQLSERVERAGENT"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQLSERVER"=3 (0x3)
"BITS"=3 (0x3)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"iPod Service"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Steam\\SteamApps\\masterous_gallagher\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\guild wars\\Gw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn6.exe"=
"c:\\Program Files\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\sacred2.exe"=
"c:\\Program Files\\Deep Silver\\Sacred 2 - Fallen Angel\\system\\s2gs.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"18763:TCP"= 18763:TCP:*:Disabled:BitComet 18763 TCP
"18763:UDP"= 18763:UDP:*:Disabled:BitComet 18763 UDP
"6112:TCP"= 6112:TCP:*:Disabled:Blizzard Downloader 2

S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [1/25/2009 5:26 PM 232720]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [6/9/2008 8:40 PM 16512]
S3 hitmanpro3;Hitman Pro 3 Support Driver;\??\c:\windows\system32\drivers\hitmanpro3.sys --> c:\windows\system32\drivers\hitmanpro3.sys [?]
S3 JL2005;JL2005A Camera;c:\windows\system32\Drivers\toywdm.sys --> c:\windows\system32\Drivers\toywdm.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [1/25/2009 5:26 PM 19096]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys --> c:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [1/5/2008 3:11 AM 7680]
S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [4/21/2004 5:51 PM 16384]
S3 WN6201;Wireless Network Adapter Service;c:\windows\system32\drivers\WN6201.sys [8/17/2008 9:59 PM 457472]
S4 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;d:\instal~6.exe --> d:\INSTAL~6.EXE [?]
.
Contents of the 'Scheduled Tasks' folder

2009-08-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\A-The JoeG\Application Data\Mozilla\Firefox\Profiles\boymctrj.default\
FF - prefs.js: browser.startup.homepage - hxxp://questionablecontent.net/
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\ahead\InCD]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1343024091-1417001333-839522115-1008\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:29,14,26,cc,37,34,3e,f7,bf,d2,44,02,29,f0,24,f8,77,d3,6c,60,6e,04,3a,
b1,ec,4d,38,5f,68,7e,c6,40,53,7e,2a,d2,65,38,2c,39,c6,64,9c,16,df,b6,48,c0,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_USERS\S-1-5-21-1343024091-1417001333-839522115-1008\Software\SecuROM\License information*]
"datasecu"=hex:8d,1b,9b,fd,9c,13,dc,c3,44,43,6a,6c,fe,37,b3,1b,fa,ae,c3,86,ae,
92,a8,38,23,0a,4d,db,38,1b,17,e1,da,e9,e5,b7,36,39,f6,a3,c5,fd,28,1b,1b,73,\
"rkeysecu"=hex:7e,21,67,f8,4e,a1,59,0a,9a,74,f5,31,74,38,f7,86

[HKEY_LOCAL_MACHINE\software\CDDB\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\A3dApi\CLSID]
@Class="REG_SZ"
@DACL=(02 0000)
@="{92FA2C24-253C-11d2-90FB-006008A1F441}"

[HKEY_LOCAL_MACHINE\software\Classes\A3dDAL\CLSID]
@Class="REG_SZ"
@DACL=(02 0000)
@="{442D12A1-2641-11d2-90FB-006008A1F441}"

[HKEY_LOCAL_MACHINE\software\Classes\Applications\CTCMS.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\GENBOX.EXE\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\googleearth.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MaxPayne.exe\shell]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MSACCESS.EXE\shell]
@DACL=(02 0000)
@="Open"

[HKEY_LOCAL_MACHINE\software\Classes\Applications\MsgPlus.exe\shell]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\Applications\prowin32.exe\shell]
@DACL=(02 0000)
@="Open_in_the_Procedure_Editor"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGAlbum.TCIG_AlbumTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\TypeLib]
@DACL=(02 0000)
@="{4C5EC02F-68D3-450d-BD5F-50087ED0E63F}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{05190D52-1B3F-42d4-A38A-3F953B263BEF}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGAlbum.TCIG_AlbumTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Insertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\ProgID]
@DACL=(02 0000)
@="WT.WTMultiplayer.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\TypeLib]
@DACL=(02 0000)
@="{b162d478-ef46-4475-b1fe-216bdedb7fad}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0c097121-c5d6-47eb-841d-30bff71a71c4}\VersionIndependentProgID]
@DACL=(02 0000)
@="WT.WTMultiplayer"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGRegist.TCIG_RegistTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\TypeLib]
@DACL=(02 0000)
@="{48DA20D5-6AF9-4899-96CD-B14EDC428406}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1025A2B4-2E3B-4fb9-9E82-D0770BFA44D7}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGRegist.TCIG_RegistTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\ProgID]
@DACL=(02 0000)
@="ZbTaskMovieExportDES.TME_MovieExport.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\TypeLib]
@DACL=(02 0000)
@="{AB37A450-A651-467A-98D4-6383FB5D2C3A}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{13E48F16-C974-45BE-816E-2D7E2DAE668E}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskMovieExportDES.TME_MovieExport"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1440AD10-6AA8-11D1-B6F9-00A024DDAFD1}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1440AD10-6AA8-11D1-B6F9-00A024DDAFD1}\NotInsertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\ProgID]
@DACL=(02 0000)
@="ZbTaskMovieDesk.TMD_MovieDeskTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\TypeLib]
@DACL=(02 0000)
@="{44007D26-9B94-4E42-848A-CE75CD473131}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{1FDCE279-48F6-451F-83A6-F67874552B94}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskMovieDesk.TMD_MovieDeskTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGTopPage.TCIG_TopPageTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\TypeLib]
@DACL=(02 0000)
@="{38CAD846-C6B1-4c42-9DD5-62041A83AD32}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{21B77562-87FE-4061-9C51-C6ECB9B9AB10}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGTopPage.TCIG_TopPageTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\ProgID]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandComm.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\TypeLib]
@DACL=(02 0000)
@="{3937476C-846F-459C-BD47-75EC6B0834E4}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2B26AEBA-25CB-419C-87FB-8880A77964F4}\VersionIndependentProgID]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandComm"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\ProgID]
@DACL=(02 0000)
@="ZbTask_MovieToStill.TMD_MovieToStill.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\TypeLib]
@DACL=(02 0000)
@="{07DFBCF0-D2A9-44EC-96C6-04926FD05B27}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{59A0A86A-D4C4-4C97-87D0-7CF0C18A8185}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTask_MovieToStill.TMD_MovieToStill"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\ProgID]
@DACL=(02 0000)
@="Zb.ZbCmdRegisterForCIG.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\TypeLib]
@DACL=(02 0000)
@="{A8DB5CA8-6548-485b-883F-9514688D86BC}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7BF9A4A1-5B15-4d37-90D7-D0B9CE7F964A}\VersionIndependentProgID]
@DACL=(02 0000)
@="Zb.ZbCmdRegisterForCIG"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGUpload.TCIG_UploadTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\TypeLib]
@DACL=(02 0000)
@="{AA25A16A-3660-4e12-96F0-A614AF47F42B}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7E64E394-F52F-41d3-AD3E-E0C37C5476F6}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGUpload.TCIG_UploadTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\ProgID]
@DACL=(02 0000)
@="WTVis.WTVisReceiver.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\TypeLib]
@DACL=(02 0000)
@="{93795291-63D3-489c-B30E-5564CF578ABC}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7F23E6E5-0E79-4aee-B723-B1463805D5A9}\VersionIndependentProgID]
@DACL=(02 0000)
@="WTVis.WTVisReceiver"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698F}\ProgID]
@DACL=(02 0000)
@="avgtoolbar.AVGTOOLBARToggle Button"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E26990}\ProgID]
@DACL=(02 0000)
@="avgtoolbar.AVGTOOLBARMenu Button"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\ProgID]
@DACL=(02 0000)
@="WDMHHost.WTHoster.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\TypeLib]
@DACL=(02 0000)
@="{B7E20302-C22C-4AF2-9D75-C3EB6EEE9DD8}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\Version]
@DACL=(02 0000)
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A}\VersionIndependentProgID]
@DACL=(02 0000)
@="WDMHHost.WTHoster"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\NotInsertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\ProgID]
@DACL=(02 0000)
@="WW.TiberianSun.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\Typelib]
@DACL=(02 0000)
@="{B45A4A80-86DA-11D1-B706-00A024DDAFD1}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B45A4A81-86DA-11D1-B706-00A024DDAFD1}\VersionIndependentProgID]
@DACL=(02 0000)
@="WW.TiberianSun"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\ProgID]
@DACL=(02 0000)
@="WTVis.WTVisSender.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\TypeLib]
@DACL=(02 0000)
@="{B89CF276-BABD-4c52-8303-A44A335C6F84}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B9BA256A-075B-49ea-B9E2-7DBC2EF021D5}\VersionIndependentProgID]
@DACL=(02 0000)
@="WTVis.WTVisSender"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\ProgID]
@DACL=(02 0000)
@="ZbTaskCIGMyCamera.TCIG_DownloadTask.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\TypeLib]
@DACL=(02 0000)
@="{EACBC084-B41D-4782-8F4E-25D6A295AD30}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E1A4B65B-2D62-4436-9098-A85DF4D8C24A}\VersionIndependentProgID]
@DACL=(02 0000)
@="ZbTaskCIGMyCamera.TCIG_DownloadTask"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\ProgID]
@DACL=(02 0000)
@="EpsonToolBand.ToolBandObj.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\TypeLib]
@DACL=(02 0000)
@="{3937476C-846F-459C-BD47-75EC6B0834E4}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EE5D279F-081B-4404-994D-C6B60AAEBA6D}\VersionIndependentProgID]
@DACL=(02 0000)
@="EpsonToolBand.ToolBandObj"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7587D-871C-4944-9CEE-FDF6F70AAB60}\InprocServer32]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F9E7587D-871C-4944-9CEE-FDF6F70AAB60}\ProgID]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Control]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Insertable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\MiscStatus]
@DACL=(02 0000)
@="0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\ProgID]
@DACL=(02 0000)
@="WT3D.WT.1"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Programmable]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\TypeLib]
@DACL=(02 0000)
@="{FA13AA2E-CA9B-11D2-9780-00104B242EA3}"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\Version]
@DACL=(02 0000)
@="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FA13A9FA-CA9B-11D2-9780-00104B242EA3}\VersionIndependentProgID]
@DACL=(02 0000)
@="WT3D.WT"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker\CLSID]
@DACL=(02 0000)
@="{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker\CurVer]
@DACL=(02 0000)
@="EpsonToolBand.EpsonToolBandKicker.1"

[HKEY_LOCAL_MACHINE\software\Classes\EpsonToolBand.EpsonToolBandKicker.1\CLSID]
@DACL=(02 0000)
@="{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\ProxyStubClsid32]
@DACL=(02 0000)
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{519794FA-B932-410A-8322-1445B958C1B1}\TypeLib]
@DACL=(02 0000)
@="{4A165BD0-165F-474F-AF66-40CD5AC4613E}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter\CLSID]
@DACL=(02 0000)
@="{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter\CurVer]
@DACL=(02 0000)
@="LinkScannerIE.NavFilter.1"

[HKEY_LOCAL_MACHINE\software\Classes\LinkScannerIE.NavFilter.1\CLSID]
@DACL=(02 0000)
@="{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3937476C-846F-459C-BD47-75EC6B0834E4}\1.0]
@DACL=(02 0000)
@="EpsonToolBand 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{5DAB1D4C-D020-41CD-936F-D63FF662E9F7}\1.0]
@DACL=(02 0000)
@="IESiteBlocker 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{B162D478-EF46-4475-B1FE-216BDEDB7FAD}\1.0]
@DACL=(02 0000)
@="WildTangent Multiplayer 2.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{B7E20302-C22C-4AF2-9D75-C3EB6EEE9DD8}\1.0]
@DACL=(02 0000)
@="WDMHHost 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{FA13AA2E-CA9B-11D2-9780-00104B242EA3}\1.0]
@DACL=(02 0000)
@="WebDriver 1.0 Type Library"

[HKEY_LOCAL_MACHINE\software\EPSON\EPSON Web-To-Page\1.0.0.0]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\RNIModuleFlags]
@DACL=(02 0000)
"mtxjava.dll"=hex:01,00,00,00
"jdbcdemo.dll"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\Security]
@DACL=(02 0000)
"EditCustomPermissions"=hex:00,00,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Java VM\System Properties]
@DACL=(02 0000)
"com.ms.applet.enable.serversockets"="false"

[HKEY_LOCAL_MACHINE\software\WildTangent\ActiveLauncher]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\ControlPanel]
@DACL=(02 0000)
@=""

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\Dependents]
@DACL=(02 0000)
"CDA 5.1"="Persistent CDA 5.1"

[HKEY_LOCAL_MACHINE\software\WildTangent\CDA\GameData]
@DACL=(02 0000)
"MaxFileSize"=dword:00a00000
"MinDiskSpace"=dword:00019000

[HKEY_LOCAL_MACHINE\software\WildTangent\ComponentRepository]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\DDC]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\Eula]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\GameChannel]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\WildTangent\WebDriverPackages]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(992)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2009-08-28 22:03
ComboFix-quarantined-files.txt 2009-08-28 21:03
ComboFix2.txt 2009-08-28 16:58
ComboFix3.txt 2009-08-28 10:25

Pre-Run: 92,759,904,256 bytes free
Post-Run: 92,725,538,816 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
669 --- E O F --- 2009-08-26 23:45


Edit:

I forgot to mention, i couldn't run the online antivirus because my java is out of date, and when i attempt to remove the old one i get an installation error. I looked up this error and people recommended using the Windows Installer CleanUp Utility, but on trying to install this my system regularly crashes.
I tried logging on to the administrator account to install the new Java and/or CleanUp files but i came up with the same problem.

Edit of the Edit:

Got a different uninstall tool, got rid of the old runtime and have updated, running Kapersky and will edit the edit of the edit with results soon!

Edited by joethegiraffe, 28 August 2009 - 04:42 PM.


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:31 AM

Posted 28 August 2009 - 04:59 PM

Got a different uninstall tool, got rid of the old runtime and have updated, running Kapersky and will edit the edit of the edit with results soon!


:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 joethegiraffe

joethegiraffe
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:31 AM

Posted 31 August 2009 - 03:28 AM

Oookay, Kapersky says i'm not in the clear yet, still have a few issues D:
Does Kapersky clean things or only detect them?

Anyway, here's the report:

KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 31, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 31, 2009 02:15:21
Records in database: 2730796
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Objects scanned 98267
Threats found 3
Infected objects found 4
Suspicious objects found 0
Scan duration 05:29:51

File name Threat Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACmspkvoenml.dll.vir
Infected: Packed.Win32.TDSS.y 1
C:\System Volume Information\_restore{C38F7A13-1AEE-4A11-80E6-30E2F7540CA3}\RP812\A0328963.exe
Infected: Trojan.Win32.VB.ski 1
C:\System Volume Information\_restore{C38F7A13-1AEE-4A11-80E6-30E2F7540CA3}\RP826\A0344235.exe
Infected: Trojan-Spy.Win32.Zbot.aabx 1
C:\System Volume Information\_restore{C38F7A13-1AEE-4A11-80E6-30E2F7540CA3}\RP847\A0357077.dll
Infected: Packed.Win32.TDSS.y 1

Selected area has been scanned.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:31 AM

Posted 31 August 2009 - 09:38 AM

Hi, Joe :thumbup2:

These detections are items in the System Restore and items quarantine by Combofix. Lets take care of that.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix
  • Click START then RUN
  • Now type (Copy and Paste) "c:\documents and settings\A-The JoeG\Desktop\Combo-Fix.exe" /u in the runbox (including the quotation marks) and click OK. Note the space between the " and the /u, it needs to be there.
Create a Restore point (If the above process fails to do so):
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.
How is it doing now?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:31 AM

Posted 11 September 2009 - 04:13 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users