Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hijackthis log (regedit opens in notepad,task manger disabled)


  • This topic is locked This topic is locked
20 replies to this topic

#1 Dylanz Of Dylanz

Dylanz Of Dylanz

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 25 September 2009 - 01:43 AM

i was redirected from http://www.bleepingcomputer.com/forums/t/259163/regedit-opens-in-notepad/
I've read "Preparation Guide For Use Before Posting A Hijackthis Log".I tried running dds but it opened in notepad as well.

i can only run rootrepeal and hijackthis.

rootrepeal log
ROOTREPEAL AD, 2007-2009
==================================================
Scan Start Time: 2009/09/25 13:13
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB2093000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\Prefetch\ROOTREPEAL.EXE-27FAE853.pf
Status: Visible to the Windows API, but not on disk.

Hidden Services
-------------------
Service Name: fwqkkpf
Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs

==EOF==

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:39:54 PM, on 9/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG8~1.5\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\AVG8~1.5\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
D:\PROGRA~1\AVG8~1.5\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\AVG8~1.5\avgtray.exe
C:\Documents and Settings\Great User\Local Settings\Temp\Anti Mosquito.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Great User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :8181
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\system32\fdisk.com
F3 - REG:win.ini: load=C:\DOCUME~1\GREATU~1\LOCALS~1\Temp\svchost.com
F3 - REG:win.ini: run=C:\DOCUME~1\GREATU~1\LOCALS~1\Temp\svchost.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\fdisk.com,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG 8.5\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG8~1.5\avgtray.exe
O4 - HKLM\..\Run: [mspaint] "C:\WINDOWS\system32\Paint.exe" -autocheck
O4 - HKLM\..\Run: [Anti Mosquito] C:\Documents and Settings\Great User\Local Settings\Temp\Anti Mosquito.exe
O4 - HKLM\..\Run: [HotKey] C:\Documents and Settings\Great User\Templates\cache\SFCsrvc.pif
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [User Agent] C:\WINDOWS\system32\fdisk.com
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Great User\Desktop\RRT.exe auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HotKey] C:\Documents and Settings\Great User\Templates\cache\SFCsrvc.pif
O4 - HKCU\..\Run: [User Agent] C:\DOCUME~1\GREATU~1\LOCALS~1\Temp\svchost.com
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG 8.5\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG8~1.5\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 9312 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 25 September 2009 - 07:04 AM

Hi,

First of all, Please delete the proxy being set by malware: In IE: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".
In Firefox in Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection.

Then, * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 25 September 2009 - 12:47 PM

mbam log file.by the way,i can open regedit now and task manager is back,is my pc clean?

Malwarebytes' Anti-Malware 1.41
Database version: 2859
Windows 5.1.2600 Service Pack 2

9/26/2009 1:38:41 AM
mbam-log-2009-09-26 (01-38-41).txt

Scan type: Quick Scan
Objects scanned: 106637
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 3
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Worm.AutoRun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user agent (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\user agent (Worm.AutoRun) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe C:\WINDOWS\system32\fdisk.com) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\fdisk.com,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\autorun.inf (SuspectAutorun.Rootdrive.H) -> Quarantined and deleted successfully.


hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:22 AM, on 9/26/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\PROGRA~1\AVG8~1.5\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\PROGRA~1\AVG8~1.5\avgrsx.exe
D:\PROGRA~1\AVG8~1.5\avgnsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
D:\PROGRA~1\AVG8~1.5\avgtray.exe
C:\Documents and Settings\Great User\Local Settings\Temp\Anti Mosquito.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\Great User\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\DOCUME~1\GREATU~1\LOCALS~1\Temp\svchost.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: flashget2 urlcatch - {1F364306-AA45-47B5-9F9D-39A8B94E7EF1} - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG 8.5\avgssie.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG8~1.5\avgtray.exe
O4 - HKLM\..\Run: [mspaint] "C:\WINDOWS\system32\Paint.exe" -autocheck
O4 - HKLM\..\Run: [Anti Mosquito] C:\Documents and Settings\Great User\Local Settings\Temp\Anti Mosquito.exe
O4 - HKLM\..\Run: [HotKey] C:\Documents and Settings\Great User\Templates\cache\SFCsrvc.pif
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [RRT-Auto] C:\Documents and Settings\Great User\Desktop\RRT.exe auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [HotKey] C:\Documents and Settings\Great User\Templates\cache\SFCsrvc.pif
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
O8 - Extra context menu item: &Download by FlashGet - C:\Program Files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://D:\Program Files\BitComet\tools\BitCometBHO_1.3.7.16.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG 8.5\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG8~1.5\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8901 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 25 September 2009 - 03:52 PM

Hi,

This is a lot better, but still not finished yet since I need an extra log...

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 25 September 2009 - 10:39 PM

ComboFix 09-09-25.01 - Great User 09/26/2009 11:34.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1450 [GMT 8:00]
Running from: c:\documents and settings\Great User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
c:\documents and settings\Great User\Application Data\BITS
c:\documents and settings\Great User\Application Data\BITS\BITS.ini
c:\documents and settings\Great User\Application Data\BITS\DHTTable.dat
c:\documents and settings\Great User\Application Data\BITS\ProxyList.ini
c:\documents and settings\Great User\Templates\cache
c:\documents and settings\Great User\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini
c:\documents and settings\Great User\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\rcmd.ini
c:\documents and settings\Great User\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\RemoteINF.exe
c:\documents and settings\Great User\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db
c:\documents and settings\Great User\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\tmp.db
c:\documents and settings\Great User\Templates\cache\desktop.ini
c:\program files\FlashGet Network
c:\program files\FlashGet Network\FlashGet universal\btcore.dll
c:\program files\FlashGet Network\FlashGet universal\btwrap.dll
c:\program files\FlashGet Network\FlashGet universal\BugReport.dll
c:\program files\FlashGet Network\FlashGet universal\BugReport.exe
c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
c:\program files\FlashGet Network\FlashGet universal\ComDlls\bhoCATCH.dll
c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhocfg.ini
c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
c:\program files\FlashGet Network\FlashGet universal\ComDlls\ComDlls.ini
c:\program files\FlashGet Network\FlashGet universal\ComDlls\flashget.xpi
c:\program files\FlashGet Network\FlashGet universal\ComDlls\FlashgetXpi.dll
c:\program files\FlashGet Network\FlashGet universal\ComDlls\IFlashgetXpi.xpt
c:\program files\FlashGet Network\FlashGet universal\dbghelp.dll
c:\program files\FlashGet Network\FlashGet universal\DBTrans.dll
c:\program files\FlashGet Network\FlashGet universal\dbtrans_verbose.log
c:\program files\FlashGet Network\FlashGet universal\DBTransC.exe
c:\program files\FlashGet Network\FlashGet universal\ed2kwrap.dll
c:\program files\FlashGet Network\FlashGet universal\explorerbar.dll
c:\program files\FlashGet Network\FlashGet universal\fgoption.ini
c:\program files\FlashGet Network\FlashGet universal\FGVer.dll
c:\program files\FlashGet Network\FlashGet universal\flashget.exe
c:\program files\FlashGet Network\FlashGet universal\gt.exe
c:\program files\FlashGet Network\FlashGet universal\hashgen.dll
c:\program files\FlashGet Network\FlashGet universal\Help\license.txt
c:\program files\FlashGet Network\FlashGet universal\Help\Readme.txt
c:\program files\FlashGet Network\FlashGet universal\Help\WHATSNEW.TXT
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddBatchLinksDlg.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddBTTask.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\Added.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddEMTask.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddHpFpLink.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddLinksDlg.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddLinksDlgEx.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\AddLinksModern.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\BrowserPlugins.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\BTOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\CategoryView.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ComfirmWhenExitDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\CommonDlg.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ConfirmInvalidLinks.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ContextMenu.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\DefaultDownloadsDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\DeleteFilesDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\DetailStatus.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\EMOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\EMServers.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ExplorerPane.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ExtensionRuleDlg.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FG2SearchTopPlugin.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FileListCtrl.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FileRemovedDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FindTaskDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FlashgetAbout.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FlashGetDlg.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\FSUStatusBar.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\GarageLoginDialog.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\GarageView.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\HotResource.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\HpFpOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\Info.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\LogsOutput.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\MACReader.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\MainMenu.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\MainToolbar.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\MonitorOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\NormalOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\NotifyOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\Option.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\P4PPluginMain.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\ProxySetting.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\SearchBar.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\Security.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\SecurityOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\SecurityScan.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\SecurityToolbar.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\Shutdown.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\StatusBar.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\TaskDefOption.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\TaskListView.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\TaskNotify.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\UserListCtrl.ini
c:\program files\FlashGet Network\FlashGet universal\Langs\FGXL_ENG\XpEnhance.ini
c:\program files\FlashGet Network\FlashGet universal\libupnp.dll
c:\program files\FlashGet Network\FlashGet universal\LiveUpdateUI.dll
c:\program files\FlashGet Network\FlashGet universal\modules\ComHelper\ComHelper.dll
c:\program files\FlashGet Network\FlashGet universal\modules\ComHelper\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\Downstat\Downstat.dll
c:\program files\FlashGet Network\FlashGet universal\modules\Downstat\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\P4pclient\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\P4pclient\P4pclient.dll
c:\program files\FlashGet Network\FlashGet universal\modules\P4pclient\Thumbs.db
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource.ini
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\iexplorer.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\resource.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\resource.xml
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\search.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\subscribe.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\Resource\Thumbs.db
c:\program files\FlashGet Network\FlashGet universal\modules\SearchTop\SearchTop.dll
c:\program files\FlashGet Network\FlashGet universal\modules\Security\FunctionalRepair.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\Security\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\Security\Scanning.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\Security\Security.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\Security\SECURITY.dll
c:\program files\FlashGet Network\FlashGet universal\modules\Security\Security.xml
c:\program files\FlashGet Network\FlashGet universal\modules\Security\SystemFix.bmp
c:\program files\FlashGet Network\FlashGet universal\modules\SnapShot\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\SnapShot\SamplerCli.dll
c:\program files\FlashGet Network\FlashGet universal\modules\SnapShot\SnapShot.dll
c:\program files\FlashGet Network\FlashGet universal\modules\tasknotifier\Info.ini
c:\program files\FlashGet Network\FlashGet universal\modules\tasknotifier\tasknotifier.dll
c:\program files\FlashGet Network\FlashGet universal\P2PCfg.ini
c:\program files\FlashGet Network\FlashGet universal\P2PCore.dll
c:\program files\FlashGet Network\FlashGet universal\p2pprot.dll
c:\program files\FlashGet Network\FlashGet universal\p2snetio.dll
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.dll
c:\program files\FlashGet Network\FlashGet universal\p2spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\p2sprot.dll
c:\program files\FlashGet Network\FlashGet universal\p2spwrap.dll
c:\program files\FlashGet Network\FlashGet universal\p4spmgr.ini
c:\program files\FlashGet Network\FlashGet universal\Profiles\config.dat
c:\program files\FlashGet Network\FlashGet universal\Profiles\tasks.dat
c:\program files\FlashGet Network\FlashGet universal\Skins\close_default.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\close_press.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\close_select.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\max_default.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\max_press.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\max_select.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\min_default.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\min_press.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\min_select.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\notify.wav
c:\program files\FlashGet Network\FlashGet universal\Skins\notify_board.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\notify_icon.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\Back.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\Backward.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\BrowserBarCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\FlashgetResource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\Forward.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarCT\Home.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarDisableCT\Backward.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarDisableCT\BrowserBarDisableCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarDisableCT\Forward.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarDisableCT\Home.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\BrowserBarDisableCT\Resource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Available.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\CategoryTreeCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Downloaded.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Downloading.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Favorite.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Flashget.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Release.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Rubbish.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\CategoryTreeCT\Search.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\ExpBar\Expbar.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\ExpBar\garage.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\ExpBar\resource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\ExpBar\transfer.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\BT.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\EM.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\GlobalOptionCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\HpFp.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\Monitor.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\Normal.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\Notify.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\Proxy.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\GlobalOptionCT\TaskDef.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\Info.ini
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\About.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\DeleteTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\folder.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\MainMenuCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\MoveDownTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\MoveUpTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\NewTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\open.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\Option.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\PauseTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\Resource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\StartTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainMenuCT\TaskProperties.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\About.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\DeleteTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\Folder.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\MainToolbarCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\NewTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\Open.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\Option.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\PauseTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\Resource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\StartTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarCT\TaskProperties.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\About.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\DeleteTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\Folder.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\MainToolbarDisableCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\NewTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\Open.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\Option.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\PauseTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\Resource.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\StartTask.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\MainToolbarDisableCT\TaskProperties.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\Monitor\InfoBkg.Bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\Monitor\MonitorBkg.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\OutpuLogCT\Down.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\OutpuLogCT\Error.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\OutpuLogCT\Normal.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\OutpuLogCT\OutpuLogCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\OutpuLogCT\Up.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\All.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Book.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Bt.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Game.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Movie.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Music.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Phone.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Picture.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\SobarIconCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\SobarIconCT\Software.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Error.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\hashing.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\OK.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Pause.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Pin.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Schedule.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Start.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\TaskListCT.xml
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Upload.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\ShadowGrayBlue\TaskListCT\Wait.bmp
c:\program files\FlashGet Network\FlashGet universal\Skins\Thumbs.db
c:\program files\FlashGet Network\FlashGet universal\storage.dll
c:\program files\FlashGet Network\FlashGet universal\SysOpt.exe
c:\program files\FlashGet Network\FlashGet universal\transaction.log
c:\program files\FlashGet Network\FlashGet universal\uninst.exe
c:\program files\FlashGet Network\FlashGet universal\zlib.dll
d:\$recycle.bin\{5F229C11-5039-40E4-8537-6950BB1C9ECC}
D:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-24 08:25 . 2009-09-24 08:25 -------- d-----w- C:\RRTVAULT
2009-09-23 08:02 . 2009-09-23 08:02 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-23 03:19 . 2009-09-23 03:19 -------- d-----w- c:\documents and settings\Great User\DoctorWeb
2009-09-22 07:15 . 2009-09-22 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 07:15 . 2009-09-22 07:15 -------- d-----w- c:\documents and settings\Great User\Application Data\SUPERAntiSpyware.com
2009-09-22 05:08 . 2009-09-22 05:08 -------- d-----w- c:\documents and settings\Great User\Application Data\Malwarebytes
2009-09-22 05:07 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 05:07 . 2009-09-22 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 05:07 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 11:07 . 2009-09-21 11:07 0 ----a-w- C:\settings.dat
2009-09-21 09:48 . 2009-09-21 09:48 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\UCPRO
2009-09-21 09:35 . 2009-09-21 09:35 -------- d-----w- C:\windowscopy
2009-09-21 09:35 . 2009-09-21 09:35 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\wj32
2009-09-20 08:30 . 2009-09-21 10:56 62 ----a-w- c:\windows\popcinfo.dat
2009-09-20 07:19 . 2009-09-04 09:44 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-20 07:19 . 2009-09-04 09:44 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-20 07:19 . 2009-09-04 09:29 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-20 07:19 . 2009-09-04 09:29 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-20 07:19 . 2009-09-04 09:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-20 07:19 . 2009-09-04 09:29 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-20 07:19 . 2009-09-04 09:29 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-20 04:40 . 2009-09-20 07:04 4096 ----a-w- c:\windows\system32\detoured.dll
2009-09-20 02:43 . 2009-09-26 03:29 94209 ----a-w- c:\windows\system32\Paint.exe
2009-09-20 02:11 . 2009-09-20 02:12 -------- d-----w- c:\documents and settings\Great User\Application Data\Media Player Classic
2009-09-19 17:12 . 2009-09-25 04:24 -------- d-----w- C:\$AVG8.VAULT$
2009-09-19 17:07 . 2009-09-21 09:35 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Cyberlink
2009-09-19 17:07 . 2009-09-19 17:07 -------- d-----w- c:\documents and settings\Great User\Application Data\CyberLink
2009-09-19 15:56 . 2009-09-19 15:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-19 15:56 . 2009-09-19 15:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-19 15:56 . 2009-09-19 15:56 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-19 15:56 . 2009-09-19 15:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-19 15:56 . 2009-09-26 02:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-19 15:55 . 2009-09-23 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-19 15:55 . 2009-09-19 15:55 -------- d-----w- c:\program files\AVG
2009-09-19 15:32 . 2009-09-19 15:32 -------- d-----w- c:\documents and settings\Great User\Application Data\AVG8
2009-09-19 15:28 . 2009-09-19 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-19 15:18 . 2009-09-21 08:12 1253 ----a-w- c:\windows\War3Unin.dat
2009-09-19 15:18 . 2009-09-19 15:18 139264 ----a-w- c:\windows\War3Unin.exe
2009-09-19 15:10 . 2009-09-26 02:55 -------- d-----w- c:\documents and settings\Great User\Tracing
2009-09-19 15:06 . 2009-09-19 15:06 0 ----a-w- c:\windows\nsreg.dat
2009-09-19 15:06 . 2009-09-19 15:06 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Mozilla
2009-09-19 15:03 . 2009-09-26 03:28 -------- d-----w- C:\Downloads
2009-09-19 10:50 . 2009-09-25 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-09-19 10:50 . 2009-09-25 17:49 -------- d-----w- c:\documents and settings\Great User\Application Data\Autodesk
2009-09-19 10:50 . 2009-09-19 10:50 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Autodesk
2009-09-19 10:49 . 2009-09-25 18:01 482176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-19 10:47 . 2009-09-19 10:47 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-19 10:47 . 2009-09-19 10:47 -------- d-----w- c:\program files\Reference Assemblies
2009-09-19 10:47 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-09-19 10:42 . 2009-09-19 10:42 -------- d-----w- c:\program files\Google
2009-09-19 10:38 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Application Data\Apple Computer
2009-09-19 10:38 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Apple Computer
2009-09-19 10:37 . 2009-09-19 10:51 122376 ----a-w- c:\documents and settings\Great User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 10:37 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Adobe
2009-09-19 10:37 . 2009-09-20 06:14 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Ahead
2009-09-19 10:32 . 2009-09-19 10:32 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-19 10:32 . 2009-09-19 10:32 -------- d-----w- c:\windows\system32\AGEIA
2009-09-19 10:32 . 2009-09-22 07:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-19 10:32 . 2009-06-09 22:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-19 10:31 . 2009-06-21 00:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-19 10:30 . 2009-09-19 10:31 -------- d-----w- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-21 10:54 . 2009-08-07 10:14 -------- d-----w- c:\program files\Mummy Maze Deluxe
2009-09-21 09:40 . 2004-08-04 11:00 146432 ----a-w- c:\windows\regedit.exe
2009-09-21 09:07 . 2009-08-07 10:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-09-21 04:43 . 2009-08-07 10:14 -------- d-----w- c:\program files\Heavy Weapon
2009-09-20 10:34 . 2009-08-07 10:20 5 ----a-w- c:\windows\system32\SySCut.dat
2009-09-20 08:30 . 2009-08-07 10:15 -------- d-----w- c:\program files\Pixelus Deluxe
2009-09-19 10:49 . 2009-08-07 12:26 -------- d-----w- c:\program files\MSBuild
2009-09-19 10:15 . 2009-08-07 10:19 -------- d-----w- c:\program files\Total Video Converter
2009-09-04 09:44 . 2009-08-07 10:14 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-08-19 09:06 . 2009-08-07 12:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-19 08:55 . 2009-08-19 08:55 -------- d-----w- c:\program files\Bonjour
2009-08-19 08:55 . 2009-08-07 12:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 08:51 . 2009-08-19 08:51 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\documents and settings\Great User\Application Data\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\program files\ACD Systems
2009-08-19 08:29 . 2009-08-07 09:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-19 08:20 . 2009-08-07 10:11 17488 ----a-w- c:\windows\gdrv.sys
2009-08-13 03:14 . 2009-08-13 03:14 472064 ----a-w- C:\RootRepeal.exe
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\program files\QuickTime
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\program files\Apple Software Update
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Real
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Common Files\Real
2009-08-07 12:29 . 2009-08-07 10:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-07 12:29 . 2009-08-07 10:22 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-07 12:28 . 2009-08-07 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-07 12:26 . 2009-08-07 12:26 -------- d-----w- c:\program files\Microsoft Works
2009-08-07 12:26 . 2009-08-07 12:26 -------- d-----w- c:\program files\Microsoft.NET
2009-08-07 12:24 . 2009-08-07 12:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-07 10:31 . 2009-08-07 10:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 10:31 . 2009-08-07 10:28 -------- d-----w- c:\program files\Windows Live
2009-08-07 10:30 . 2009-08-07 10:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-07 10:29 . 2009-08-07 10:29 -------- d-----w- c:\program files\Microsoft
2009-08-07 10:29 . 2009-08-07 10:29 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-07 10:27 . 2009-08-07 10:27 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-07 10:25 . 2009-08-07 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-07 10:24 . 2009-08-07 10:24 -------- d-----w- c:\program files\Yahoo!
2009-08-07 10:23 . 2009-08-07 10:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 10:23 . 2009-08-07 10:23 -------- d-----w- c:\program files\Java
2009-08-07 10:23 . 2009-08-07 10:23 -------- d-----r- c:\program files\Skype
2009-08-07 10:23 . 2009-08-07 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\program files\Common Files\CyberLink
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\program files\CyberLink
2009-08-07 10:21 . 2009-08-07 10:22 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-08-07 10:20 . 2009-08-07 10:20 -------- d-----w- c:\program files\SuperAudiotool
2009-08-07 10:20 . 2009-08-07 10:20 -------- d-----w- c:\program files\MP3 Workshop
2009-08-07 10:18 . 2009-08-07 10:16 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-07 10:17 . 2009-08-07 10:17 -------- d-----w- c:\program files\7-Zip
2009-08-07 10:16 . 2009-08-07 10:16 -------- d-----w- c:\program files\Nero
2009-08-07 10:16 . 2009-08-07 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-07 10:15 . 2009-08-07 10:14 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Seven Seas Deluxe
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Rocket Mania
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Dynomite
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Insaniquarium Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\AstroPop Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Atomica Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Bejeweled
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Big Money Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\BookWorm Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\NingPo MahJong Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Noah's Ark Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Alchemy
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Zuma Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Typer Shark
2009-08-07 10:07 . 2009-08-07 10:07 -------- d-----w- c:\program files\Realtek
2009-08-07 10:00 . 2009-08-07 10:00 -------- d-----w- c:\program files\Intel
2009-08-07 09:59 . 2009-08-07 09:59 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-07 09:54 . 2009-08-07 09:54 -------- d-----w- c:\program files\microsoft frontpage
2009-08-07 09:53 . 2009-08-07 09:53 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-07 09:50 . 2009-08-07 09:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2008-04-01 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"AVG8_TRAY"="d:\progra~1\AVG8~1.5\avgtray.exe" [2009-09-19 2007832]
"mspaint"="c:\windows\system32\Paint.exe" [2009-09-26 94209]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-19 15:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD Cinema\\PowerDVDCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\AVG 8.5\\avgupd.exe"=
"d:\\Program Files\\AVG 8.5\\avgnsx.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3639:TCP"= 3639:TCP:hrokix
"9453:TCP"= 9453:TCP:BitComet 9453 TCP
"9453:UDP"= 9453:UDP:BitComet 9453 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/19/2009 11:56 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/19/2009 11:56 PM 108552]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/07 18:22];c:\program files\CyberLink\PowerDVD9\000.fcl [5/7/2009 9:05 PM 87536]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG8~1.5\avgwdsvc.exe [9/19/2009 11:55 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/7/2009 6:31 PM 55152]
R3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\GREATU~1\LOCALS~1\Temp\MOP11.tmp --> c:\docume~1\GREATU~1\LOCALS~1\Temp\MOP11.tmp [?]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/7/2009 6:09 PM 39424]
S2 fwqkkpf;Monitor Center;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 PM 14336]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S4 vrbkipnqo;Driver System;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 7:00 PM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vrbkipnqo
mlqprh
fwqkkpf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{DD0CE43B-144F-4F04-96A3-F70F119F16AD}.job
- c:\windows\system32\msfeedssync.exe [2008-04-01 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.my/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download All by FlashGet - c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Great User\Application Data\Mozilla\Firefox\Profiles\m28bqtl0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Great User\Application Data\Mozilla\Firefox\Profiles\m28bqtl0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: d:\program files\AVG 8.5\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-HotKey - c:\documents and settings\Great User\Templates\cache\SFCsrvc.pif
HKLM-Run-HotKey - c:\documents and settings\Great User\Templates\cache\SFCsrvc.pif
HKLM-Run-RRT-Auto - c:\documents and settings\Great User\Desktop\RRT.exe
AddRemove-FlashGet 2.0 - c:\program files\FlashGet Network\FlashGet universal\uninst.exe
AddRemove-InstallShield_{FEFAF112-4DA8-479C-89E2-7DE25091711A} - c:\program files\InstallShield Installation Information\{FEFAF112-4DA8-479C-89E2-7DE25091711A}\Setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 11:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\GREATU~1\LOCALS~1\Temp\MOP11.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vrbkipnqo]
"ServiceDll"=""

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\fwqkkpf]
"ServiceDll"="c:\windows\system32\xzoqj.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
d:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-09-26 11:36
ComboFix-quarantined-files.txt 2009-09-26 03:36

Pre-Run: 50,904,322,048 bytes free
Post-Run: 51,184,394,240 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

538

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 26 September 2009 - 02:54 AM

Hi,

Looks like you were dealing with other infections as well...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Collect::[8]
c:\windows\system32\Paint.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mspaint"=-
Driver::
vrbkipnqo
fwqkkpf
NetSvc::
vrbkipnqo
mlqprh
fwqkkpf


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 September 2009 - 04:01 AM

here is the combofix log and I've submitted the file

ComboFix 09-09-25.01 - Great User 09/26/2009 16:34.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1333 [GMT 8:00]
Running from: c:\documents and settings\Great User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Great User\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

file zipped: c:\windows\system32\Paint.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Paint.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FWQKKPF
-------\Legacy_VRBKIPNQO
-------\Service_fwqkkpf
-------\Service_vrbkipnqo


((((((((((((((((((((((((( Files Created from 2009-08-26 to 2009-09-26 )))))))))))))))))))))))))))))))
.

2009-09-24 08:25 . 2009-09-24 08:25 -------- d-----w- C:\RRTVAULT
2009-09-23 08:02 . 2009-09-23 08:02 10752 ----a-w- c:\windows\DCEBoot.exe
2009-09-23 03:19 . 2009-09-23 03:19 -------- d-----w- c:\documents and settings\Great User\DoctorWeb
2009-09-22 07:15 . 2009-09-22 07:15 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-22 07:15 . 2009-09-22 07:15 -------- d-----w- c:\documents and settings\Great User\Application Data\SUPERAntiSpyware.com
2009-09-22 05:08 . 2009-09-22 05:08 -------- d-----w- c:\documents and settings\Great User\Application Data\Malwarebytes
2009-09-22 05:07 . 2009-09-10 06:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-22 05:07 . 2009-09-22 05:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-22 05:07 . 2009-09-10 06:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-21 11:07 . 2009-09-21 11:07 0 ----a-w- C:\settings.dat
2009-09-21 09:48 . 2009-09-21 09:48 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\UCPRO
2009-09-21 09:35 . 2009-09-21 09:35 -------- d-----w- C:\windowscopy
2009-09-19 17:07 . 2009-09-19 17:07 -------- d-----w- c:\documents and settings\Great User\Application Data\CyberLink
2009-09-19 15:56 . 2009-09-19 15:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-09-19 15:56 . 2009-09-19 15:56 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-09-19 15:56 . 2009-09-19 15:56 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-09-19 15:56 . 2009-09-19 15:56 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-09-19 15:56 . 2009-09-26 02:52 -------- d-----w- c:\windows\system32\drivers\Avg
2009-09-19 15:55 . 2009-09-23 08:04 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-09-19 15:55 . 2009-09-19 15:55 -------- d-----w- c:\program files\AVG
2009-09-19 15:32 . 2009-09-19 15:32 -------- d-----w- c:\documents and settings\Great User\Application Data\AVG8
2009-09-19 15:28 . 2009-09-19 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-09-19 15:18 . 2009-09-21 08:12 1253 ----a-w- c:\windows\War3Unin.dat
2009-09-19 15:18 . 2009-09-19 15:18 139264 ----a-w- c:\windows\War3Unin.exe
2009-09-19 15:10 . 2009-09-26 08:32 -------- d-----w- c:\documents and settings\Great User\Tracing
2009-09-19 15:06 . 2009-09-19 15:06 0 ----a-w- c:\windows\nsreg.dat
2009-09-19 15:06 . 2009-09-19 15:06 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Mozilla
2009-09-19 15:03 . 2009-09-26 03:28 -------- d-----w- C:\Downloads
2009-09-19 10:50 . 2009-09-25 17:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Autodesk
2009-09-19 10:50 . 2009-09-25 17:49 -------- d-----w- c:\documents and settings\Great User\Application Data\Autodesk
2009-09-19 10:50 . 2009-09-19 10:50 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Autodesk
2009-09-19 10:49 . 2009-09-25 18:01 482176 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-19 10:47 . 2009-09-19 10:47 -------- d-----w- c:\windows\system32\XPSViewer
2009-09-19 10:47 . 2009-09-19 10:47 -------- d-----w- c:\program files\Reference Assemblies
2009-09-19 10:47 . 2006-06-29 05:07 14048 ------w- c:\windows\system32\spmsg2.dll
2009-09-19 10:42 . 2009-09-19 10:42 -------- d-----w- c:\program files\Google
2009-09-19 10:38 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Application Data\Apple Computer
2009-09-19 10:38 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Apple Computer
2009-09-19 10:37 . 2009-09-26 06:30 90360 ----a-w- c:\documents and settings\Great User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-19 10:37 . 2009-09-19 10:38 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Adobe
2009-09-19 10:37 . 2009-09-20 06:14 -------- d-----w- c:\documents and settings\Great User\Local Settings\Application Data\Ahead
2009-09-19 10:32 . 2009-09-19 10:32 -------- d-----w- c:\program files\AGEIA Technologies
2009-09-19 10:32 . 2009-09-19 10:32 -------- d-----w- c:\windows\system32\AGEIA
2009-09-19 10:32 . 2009-09-22 07:15 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-19 10:32 . 2009-06-09 22:03 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-09-19 10:31 . 2009-06-21 00:46 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-09-19 10:30 . 2009-09-19 10:31 -------- d-----w- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 04:54 . 2009-08-07 10:20 5 ----a-w- c:\windows\system32\SySCut.dat
2009-09-21 10:56 . 2009-09-20 08:30 62 ----a-w- c:\windows\popcinfo.dat
2009-09-21 10:54 . 2009-08-07 10:14 -------- d-----w- c:\program files\Mummy Maze Deluxe
2009-09-21 09:40 . 2004-08-04 11:00 146432 ----a-w- c:\windows\regedit.exe
2009-09-21 09:07 . 2009-08-07 10:21 -------- d---a-w- c:\documents and settings\All Users\Application Data\Temp
2009-09-21 04:43 . 2009-08-07 10:14 -------- d-----w- c:\program files\Heavy Weapon
2009-09-20 08:30 . 2009-08-07 10:15 -------- d-----w- c:\program files\Pixelus Deluxe
2009-09-20 07:04 . 2009-09-20 04:40 4096 ----a-w- c:\windows\system32\detoured.dll
2009-09-20 02:12 . 2009-09-20 02:11 -------- d-----w- c:\documents and settings\Great User\Application Data\Media Player Classic
2009-09-19 10:49 . 2009-08-07 12:26 -------- d-----w- c:\program files\MSBuild
2009-09-19 10:15 . 2009-08-07 10:19 -------- d-----w- c:\program files\Total Video Converter
2009-09-04 09:44 . 2009-09-20 07:19 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 09:44 . 2009-09-20 07:19 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 09:44 . 2009-08-07 10:14 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 09:29 . 2009-09-20 07:19 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 09:29 . 2009-09-20 07:19 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 09:29 . 2009-09-20 07:19 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 09:29 . 2009-09-20 07:19 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 09:29 . 2009-09-20 07:19 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-08-19 09:06 . 2009-08-07 12:30 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-19 08:55 . 2009-08-19 08:55 -------- d-----w- c:\program files\Bonjour
2009-08-19 08:55 . 2009-08-07 12:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-19 08:51 . 2009-08-19 08:51 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\documents and settings\Great User\Application Data\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\program files\Common Files\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\ACD Systems
2009-08-19 08:48 . 2009-08-19 08:48 -------- d-----w- c:\program files\ACD Systems
2009-08-19 08:29 . 2009-08-07 09:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-19 08:20 . 2009-08-07 10:11 17488 ----a-w- c:\windows\gdrv.sys
2009-08-13 03:14 . 2009-08-13 03:14 472064 ----a-w- C:\RootRepeal.exe
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\program files\QuickTime
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\program files\Apple Software Update
2009-08-07 12:30 . 2009-08-07 12:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Common Files\xing shared
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Real
2009-08-07 12:29 . 2009-08-07 12:29 -------- d-----w- c:\program files\Common Files\Real
2009-08-07 12:29 . 2009-08-07 10:22 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-08-07 12:29 . 2009-08-07 10:22 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-08-07 12:28 . 2009-08-07 12:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-07 12:26 . 2009-08-07 12:26 -------- d-----w- c:\program files\Microsoft Works
2009-08-07 12:26 . 2009-08-07 12:26 -------- d-----w- c:\program files\Microsoft.NET
2009-08-07 12:24 . 2009-08-07 12:24 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-07 10:31 . 2009-08-07 10:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-07 10:31 . 2009-08-07 10:28 -------- d-----w- c:\program files\Windows Live
2009-08-07 10:30 . 2009-08-07 10:30 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2009-08-07 10:29 . 2009-08-07 10:29 -------- d-----w- c:\program files\Microsoft
2009-08-07 10:29 . 2009-08-07 10:29 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-07 10:27 . 2009-08-07 10:27 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-07 10:25 . 2009-08-07 10:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-08-07 10:24 . 2009-08-07 10:24 -------- d-----w- c:\program files\Yahoo!
2009-08-07 10:23 . 2009-08-07 10:23 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-08-07 10:23 . 2009-08-07 10:23 -------- d-----w- c:\program files\Java
2009-08-07 10:23 . 2009-08-07 10:23 -------- d-----r- c:\program files\Skype
2009-08-07 10:23 . 2009-08-07 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\program files\Common Files\CyberLink
2009-08-07 10:22 . 2009-08-07 10:22 -------- d-----w- c:\program files\CyberLink
2009-08-07 10:21 . 2009-08-07 10:22 29480 ----a-w- c:\windows\system32\msxml3a.dll
2009-08-07 10:20 . 2009-08-07 10:20 -------- d-----w- c:\program files\SuperAudiotool
2009-08-07 10:20 . 2009-08-07 10:20 -------- d-----w- c:\program files\MP3 Workshop
2009-08-07 10:18 . 2009-08-07 10:16 -------- d-----w- c:\program files\Common Files\Ahead
2009-08-07 10:17 . 2009-08-07 10:17 -------- d-----w- c:\program files\7-Zip
2009-08-07 10:16 . 2009-08-07 10:16 -------- d-----w- c:\program files\Nero
2009-08-07 10:16 . 2009-08-07 10:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-08-07 10:15 . 2009-08-07 10:14 -------- d-----w- c:\program files\Bejeweled 2 Deluxe
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Seven Seas Deluxe
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Rocket Mania
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Dynomite
2009-08-07 10:15 . 2009-08-07 10:15 -------- d-----w- c:\program files\Insaniquarium Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\AstroPop Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Atomica Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Bejeweled
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Big Money Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\BookWorm Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\NingPo MahJong Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Noah's Ark Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Alchemy
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Zuma Deluxe
2009-08-07 10:14 . 2009-08-07 10:14 -------- d-----w- c:\program files\Typer Shark
2009-08-07 10:07 . 2009-08-07 10:07 -------- d-----w- c:\program files\Realtek
2009-08-07 10:00 . 2009-08-07 10:00 -------- d-----w- c:\program files\Intel
2009-08-07 09:59 . 2009-08-07 09:59 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-07 09:54 . 2009-08-07 09:54 -------- d-----w- c:\program files\microsoft frontpage
2009-08-07 09:53 . 2009-08-07 09:53 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-07 09:50 . 2009-08-07 09:50 21640 ----a-w- c:\windows\system32\emptyregdb.dat
.

------- Sigcheck -------

[-] 2008-04-01 . 32272BF10467C8ACF1F83138C61D541E . 1580544 . . [5.1.2600.2180] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-09-26_03.36.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-26 08:37 . 2009-09-26 08:37 16384 c:\windows\temp\Perflib_Perfdata_624.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-21 134656]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-21 134656]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-21 166912]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
"AVG8_TRAY"="d:\progra~1\AVG8~1.5\avgtray.exe" [2009-09-19 2007832]
"Malwarebytes Anti-Malware (reboot)"="d:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 07:21 548352 ----a-w- d:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-09-19 15:56 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD Cinema\\PowerDVDCinema.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD9\\PowerDVD9.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"d:\\Program Files\\AVG 8.5\\avgupd.exe"=
"d:\\Program Files\\AVG 8.5\\avgnsx.exe"=
"d:\\Program Files\\BitComet\\BitComet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3639:TCP"= 3639:TCP:hrokix
"9453:TCP"= 9453:TCP:BitComet 9453 TCP
"9453:UDP"= 9453:UDP:BitComet 9453 UDP

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/19/2009 11:56 PM 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/19/2009 11:56 PM 108552]
R1 SASDIFSV;SASDIFSV;d:\program files\SUPERAntiSpyware\sasdifsv.sys [9/15/2009 11:42 AM 9968]
R1 SASKUTIL;SASKUTIL;d:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/08/07 18:22];c:\program files\CyberLink\PowerDVD9\000.fcl [5/7/2009 9:05 PM 87536]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG8~1.5\avgwdsvc.exe [9/19/2009 11:55 PM 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [8/7/2009 6:31 PM 55152]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/7/2009 6:09 PM 39424]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\GREATU~1\LOCALS~1\Temp\IYG5A.tmp --> c:\docume~1\GREATU~1\LOCALS~1\Temp\IYG5A.tmp [?]
S3 SASENUM;SASENUM;d:\program files\SUPERAntiSpyware\SASENUM.SYS [9/15/2009 11:42 AM 7408]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-26 c:\windows\Tasks\User_Feed_Synchronization-{DD0CE43B-144F-4F04-96A3-F70F119F16AD}.job
- c:\windows\system32\msfeedssync.exe [2008-04-01 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com.my/
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - d:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download All by FlashGet - c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bhoall.htm
IE: &Download by FlashGet - c:\program files\FlashGet Network\FlashGet universal\ComDlls\Bholink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Great User\Application Data\Mozilla\Firefox\Profiles\m28bqtl0.default\
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Great User\Application Data\Mozilla\Firefox\Profiles\m28bqtl0.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}\components\IBitCometExtension.dll
FF - component: d:\program files\AVG 8.5\Firefox\components\avgssff.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-26 16:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\GREATU~1\LOCALS~1\Temp\IYG5A.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
d:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(1840)
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
d:\program files\AVG 8.5\avgrsx.exe
d:\progra~1\AVG8~1.5\avgnsx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-26 16:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-26 08:38
ComboFix2.txt 2009-09-26 03:36

Pre-Run: 51,148,386,304 bytes free
Post-Run: 51,049,066,496 bytes free

294

Edited by Dylanz Of Dylanz, 26 September 2009 - 04:02 AM.


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 26 September 2009 - 04:10 AM

Hi,

This Paint.exe you submitted is a "rip of" of the normal mspaint.exe. It doesn't look malicious at first sight, however I don't understand why it sets an autostart here.
Have you downloaded this file before?

Edited by miekiemoes, 26 September 2009 - 04:10 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 September 2009 - 04:11 AM

i did not download anything about this paint before......

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 26 September 2009 - 04:26 AM

I find strings of Garena Software in it. You also have other references to Garena in your log.
http://www.gamerzplanet.net/forums/garena/...s-v1-0-a-8.html
I guess this sheds a light on it? What's this Garena thing? Looks like a hack for games?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 September 2009 - 05:24 AM

no,garena is a game platform,and i was finding some hacks for it :D
its a false positive thing

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 26 September 2009 - 05:35 AM

That file must be part of that hack, but imho, not sure if it's actually needed, because it's certainly acting suspicious.
As being said there:

hey theres a keylogger here new registry value added paint.exe -autocheck always comes out this happens when im pressing start garena client btw im using spybot search and destroy and has a knowledge in coding.garenahack-er is very suspicious garenahacks for free uhm think about it . Its my opinion dont flame just my thoughts but still good hack im just insecured with the keylogger

That's why you are better off without this file :(

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Anyway, how are things running now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 September 2009 - 05:54 AM

I've deleted the file u mentioned and successfully uninstalled combofix.my pc is working fine now.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:47 PM

Posted 26 September 2009 - 06:02 AM

Good to hear. :(

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 Dylanz Of Dylanz

Dylanz Of Dylanz
  • Topic Starter

  • Members
  • 171 posts
  • OFFLINE
  •  
  • Local time:05:47 AM

Posted 26 September 2009 - 06:14 AM

hmm,im using avg anti virus free,is that enough?because im planning to install comodo free firewall.do they conflict?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users