Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/Security Guard issues/System Performance problems


  • This topic is locked This topic is locked
15 replies to this topic

#1 radii

radii

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 02 April 2010 - 04:24 PM

Hello, yesterday I started having some major system problems. Google links were being re-directed to strange URL's and I started having problems with some software I use on a daily basis... open office, SQL Server Management Studio Express, and Visual Studio 2008. I attempted to fire up MalwareBytes Anti-Malware and was told the executable no longer existed. After some googling(clicking on links in google wouldn't work but cutting and pasting the URL's would) I was able to resolve this by following the instructions this thread: http://forums.malwarebytes.org/index.php?showtopic=29028. MalwareBytes found a number of issues which I cleaned up but the problem was not completely resolved. More googling led to some help on rogue security malware named "Security Guard." I followed some steps to attempt to fix this and again feel like I've fixed half the problem only. For example I learned that this malware overwrites your hostfile, I was able to unlock the hosts file and get it fixed back up and my web browsing is back to normal. But as I said, things are still bad.

Current symptoms:

Malwarebytes still reports two issues, a Vundo registry key and a security disabled registry key that are not getting fixed upon reboot.
Windows Automatic Update service is being disabled every few minutes when I try to enable it
Many programs I run daily and was running fine day before yesterday are fairly hosed... open office won't start at all, bringing up a jit debugger session, SQL Management Express attempts to start but never fully loads/responds, and Visual Studio reports an internal error whenever I try to load up a project and never responds after that.
CPU usage occasionally jumping to 100% while idle(last night I noticed winlogon and a svchost instance both taking 50% of the CPU for some time until I just powered down)

any help that can be provided is greatly appreciated, thanks so much in advance!

dds.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:16:33.17 on Fri 04/02/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1433 [GMT -4:00]

AV: Security Guard *On-access scanning enabled* (Updated) {7ABB38CF-58F0-4BFD-BCF9-F5651489555D}
AV: Microsoft Security Essentials *On-access scanning enabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: FortiClient Personal Firewall *disabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
FW: Security Guard *enabled* {070049A5-2F32-49C2-B5EE-7B45F99AC4D9}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://hometab.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {12e4c792-fdc7-4f3d-aedf-de0a9fd23362} - koyifufe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [PlayNC Launcher]
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [FortiClient] "c:\program files\fortinet\forticlient\FortiClient.exe" /minimize
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
mRun: [wewamibovi] Rundll32.exe "ladokijo.dll",s
mRunOnce: [symPCCheckup] "c:\windows\system32\adobe\shockwave 11\symcheckupstub.exe" /task /reboot
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\80211g~1.lnk - c:\program files\nonbrand\802.11g wireless lan pci card driver and utility\RtWlan.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{51fb15f4-ad27-43bc-ad4b-dd0354fb6bbd}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "c:\program files\fiddler2\Fiddler.exe"
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
AppInit_DLLs: , ,c:\windows\system32\sotuwino.dll ,fovaguke.dll
LSA: Notification Packages = scecli c:\windows\system32\sotuwino.dll fovaguke.dll
IFEO: image file execution options - svchost.exe
IFEO: mrt.exe - svchost.exe
Hosts: 10.2.1.2 qa.clearwaveinc.com
Hosts: 192.168.199.20 app1.dev.clearwaveinc.local
Hosts: 10.0.4.53 ATL-C-CWSQL1
Hosts: 10.0.4.51 ATL-C-CWWEB01
Hosts: 10.0.4.52 ATL-C-CWAPP01

Note: multiple HOSTS entries found. Please refer to Attach.txt

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\3bpgapea.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3bpgapea.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\administrator\application

data\mozilla\firefox\profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\administrator\application

data\mozilla\firefox\profiles\3bpgapea.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\3bpgapea.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\administrator\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [2007-8-24 14240]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [2007-8-24 120992]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [2007-8-24 96928]
R2 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [2007-8-24 18464]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2007-3-29 2560]
R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [2007-8-24 22176]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [2007-8-24 14496]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-2-26 38224]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [2009-11-8 25832]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\postgresql\8.2\bin\pg_ctl.exe [2007-9-17 79948]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]

=============== Created Last 30 ================

2010-04-02 07:51:40 0 d-----w- c:\docume~1\admini~1\applic~1\OpenOffice.org
2010-04-02 03:14:44 0 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-04-02 02:22:49 0 d-----w- c:\program files\Trend Micro
2010-04-02 00:52:23 0 d-----w- c:\program files\Microsoft Security Essentials
2010-04-02 00:34:57 0 d-----w- c:\program files\JRE
2010-04-02 00:34:48 0 d-----w- c:\program files\OpenOffice.org 3
2010-04-01 19:27:37 0 d-----w- c:\program files\malwarecleaner
2010-04-01 16:31:46 0 d-sh--w- c:\docume~1\alluse~1\applic~1\SGGDAD
2010-04-01 16:31:17 0 d-sh--w- c:\docume~1\alluse~1\applic~1\347a36a
2010-04-01 16:21:16 2713 --sh--w- c:\windows\system32\sizehawi.exe
2010-03-30 17:51:57 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-30 17:51:57 138056 ----a-w- c:\docume~1\admini~1\applic~1\PnkBstrK.sys
2010-03-30 17:51:40 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-30 17:51:38 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-30 17:51:37 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-30 17:51:37 0 d-----w- c:\windows\system32\LogFiles
2010-03-30 17:07:06 0 d-----w- c:\program files\EA Games
2010-03-13 18:57:14 0 d-----w- c:\program files\PokerShortcuts
2010-03-13 18:54:35 0 d-----w- c:\program files\FT Table Opener
2010-03-12 20:32:19 0 d-----w- c:\program files\In The Money
2010-03-10 18:25:44 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 01:52:57 0 d-----w- c:\program files\Heroes of Newerth

==================== Find3M ====================

2010-04-02 21:09:07 8129 --sha-w- c:\windows\system32\mmf.sys
2010-04-02 00:28:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 19:24:58 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24:46 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-18 02:13:08 33780 ---ha-w- c:\windows\system32\mlfcache.dat
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 04:21:03 61952 --sha-w- c:\windows\system32\koyifufe.dll
2010-01-02 21:10:40 61952 --sha-w- c:\windows\system32\numisufe.dll
2010-01-01 16:21:12 117760 --sha-w- c:\windows\system32\sigubahi.exe
2009-10-15 02:46:35 16384 --sha-w- c:\windows\system32\config\systemprofile\cookies\index.dat
2009-10-15 02:46:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2009-10-15 02:46:23 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009101420091015\index.dat
2009-10-15 02:46:35 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 17:17:46.23 ===============

Attached Files


Edited by radii, 02 April 2010 - 04:30 PM.


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 03 April 2010 - 06:59 PM



Hello radii smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.














Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 03 April 2010 - 08:19 PM

Combofix log:

ComboFix 10-04-03.01 - Administrator 04/03/2010 20:48:06.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1559 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: FortiClient Personal Firewall *disabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\Microsoft\dtPaper
c:\documents and settings\Administrator\Application Data\Microsoft\dtPaper\1.html
c:\documents and settings\Administrator\Application Data\Microsoft\dtPaper\cfg.msg
c:\documents and settings\Administrator\Application Data\Microsoft\dtPaper\tmp.bmp
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\Mozilla Firefox\searchplugins\search.xml
c:\windows\AppPatch\AcAdProc.dll
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\sigubahi.exe
c:\windows\system32\sizehawi.exe
c:\windows\Tasks\jzhdceib.job
c:\windows\Tasks\nsrjpoej.job
c:\windows\Tasks\zcyiccge.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.118
hxxp://82.98.235.29
.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-02 07:51 . 2010-04-02 07:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-04-02 02:22 . 2010-04-02 02:22 -------- d-----w- c:\program files\Trend Micro
2010-04-02 00:52 . 2010-04-02 00:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\JRE
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-01 19:27 . 2010-04-01 19:32 -------- d-----w- c:\program files\malwarecleaner
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGGDAD
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\347a36a
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-30 17:51 . 2010-03-30 17:51 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-30 17:51 . 2010-03-30 17:51 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-30 17:51 . 2010-03-30 17:51 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-30 17:51 . 2010-03-30 17:51 -------- d-----w- c:\windows\system32\LogFiles
2010-03-30 17:07 . 2010-03-30 17:07 -------- d-----w- c:\program files\EA Games
2010-03-13 18:57 . 2010-03-13 18:57 -------- d-----w- c:\program files\PokerShortcuts
2010-03-13 18:54 . 2010-03-13 18:54 -------- d-----w- c:\program files\FT Table Opener
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In_The_Money_LLC
2010-03-12 20:32 . 2010-03-16 15:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In The Money
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\program files\In The Money
2010-03-12 17:33 . 2010-03-12 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache
2010-03-10 18:25 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 01:52 . 2010-03-07 01:55 -------- d-----w- c:\program files\Heroes of Newerth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 01:01 . 2007-03-29 17:02 8129 --sha-w- c:\windows\system32\mmf.sys
2010-04-04 00:40 . 2010-04-04 00:39 -------- d-----w- c:\program files\Norton PC Checkup
2010-04-04 00:39 . 2010-04-04 00:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-02 00:53 . 2006-10-23 20:41 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 00:44 . 2009-09-18 12:13 -------- d-----w- c:\program files\Cryptic Studios
2010-04-02 00:43 . 2008-04-05 08:54 -------- d-----w- c:\program files\Cake Poker
2010-04-02 00:33 . 2008-03-04 14:09 -------- d-----w- c:\program files\OpenOffice.org 2.3
2010-04-02 00:29 . 2007-04-10 04:53 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 00:28 . 2009-01-05 03:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 00:28 . 2007-04-10 04:53 -------- d-----w- c:\program files\Java
2010-04-01 21:20 . 2009-10-18 23:20 -------- d-----w- c:\program files\NCSoft
2010-04-01 19:25 . 2009-02-26 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 19:23 . 2008-12-11 17:41 -------- d-----w- c:\program files\CCleaner
2010-04-01 18:31 . 2007-01-03 02:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 04:54 . 2009-06-19 07:31 2352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2010-03-30 16:17 . 2008-03-04 14:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2010-03-29 19:24 . 2009-02-26 17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24 . 2009-02-26 17:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 22:31 . 2007-12-31 21:10 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-16 14:53 . 2007-08-15 02:06 -------- d-----w- c:\program files\PokerStove
2010-03-05 17:49 . 2009-10-13 19:45 -------- d-----w- c:\program files\Windows Grep
2010-02-23 04:11 . 2007-08-16 01:30 -------- d-----w- c:\program files\mIRC
2010-02-18 02:13 . 2009-08-01 03:51 33780 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-17 08:35 . 2009-01-23 14:50 -------- d-----w- c:\program files\Digsby
2010-02-13 20:22 . 2009-12-13 01:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-12 01:19 . 2009-01-17 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-05 10:00 . 2006-03-15 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-03-15 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-15 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-01 04:21 . 2010-01-01 04:21 61952 --sha-w- c:\windows\system32\koyifufe.dll
2010-01-02 21:10 . 2010-01-02 21:10 61952 --sha-w- c:\windows\system32\numisufe.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12e4c792-fdc7-4f3d-aedf-de0a9fd23362}]
2010-01-01 04:21 61952 --sha-w- c:\windows\system32\koyifufe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-14 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"FortiClient"="c:\program files\Fortinet\FortiClient\FortiClient.exe" [2007-08-24 1477240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-18 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11g Wireless LAN PCI Card Utility.lnk - c:\program files\Nonbrand\802.11g Wireless LAN PCI Card Driver and Utility\RtWlan.exe [2007-12-26 5856256]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-2-8 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 21:43 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 22:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2010-04-01 21:18 38184 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-04 00:21 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-18 01:58 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-03-01 23:11 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\vsjitdebugger.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"6949:TCP"= 6949:TCP:League of Legends Launcher
"6949:UDP"= 6949:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6960:TCP"= 6960:TCP:League of Legends Launcher
"6960:UDP"= 6960:UDP:League of Legends Launcher

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [8/24/2007 10:51 AM 14240]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [8/24/2007 10:51 AM 120992]
R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [8/24/2007 10:51 AM 96928]
R2 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [8/24/2007 10:52 AM 18464]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/29/2007 1:02 PM 2560]
R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [8/24/2007 10:51 AM 22176]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [8/24/2007 10:51 AM 14496]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/8/2009 11:50 PM 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/26/2009 1:51 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe [9/17/2007 9:09 AM 79948]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-04 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-04 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1715567821-839522115-500Core1ca5ce4d839abbc.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

2010-04-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]

2010-04-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PlayNC Launcher - (no file)
HKLM-Run-wewamibovi - ladokijo.dll
MSConfigStartUp-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
MSConfigStartUp-RecoverFromReboot - c:\windows\Temp\RecoverFromReboot.exe
MSConfigStartUp-wewamibovi - ladokijo.dll
AddRemove-UnityWebPlayer - c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-03 21:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ab,ca,02,f8,e7,2a,01,d1,8a,4a,41,9b,7a,3b,74,f8,ab,b3,51,2f,61,eb,58,
16,68,3a,66,a8,a8,fc,85,b5,2e,60,48,3e,51,ec,13,67,7f,b7,18,75,23,0d,18,ef,\
"??"=hex:b4,4c,8a,71,ca,c2,3e,50,74,2a,17,d9,e4,fc,78,6d

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\License information*]
"datasecu"=hex:4e,ab,e1,f1,69,6b,51,01,c1,fb,02,ce,ad,98,fa,7c,9c,ea,9a,57,7b,
6a,8d,84,d2,9e,29,7e,1a,00,d0,e3,a4,6b,b7,f6,5f,1a,fe,31,8c,ed,65,07,fe,21,\
"rkeysecu"=hex:4d,44,3d,e7,98,25,95,32,01,50,1e,b5,58,e6,c6,bb

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847]
"1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9,
e9
"2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8,
df,a0,cb,29,a7,07,62,23,54
"3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29,
0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\CC7B909C85BC507A2CDBC39B09A1A69B]
"1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,3c,a9,5c,7c,76,d5,a4,ad
"2"=hex:14,54,0e,5b,8d,87,00,e8
"3"=hex:6e,5a,42,7e,10,9e,69,5d,11,e9,d0,bd,73,61,2b,91,80,24,74,31,1e,1a,d1,
52,26,96,d5,64,db,f4,41,b6,d7,3e,22,d8,f6,51,5a,c7,dc,06,e9,89,14,5d,dc,99,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,a1,90,f0,ac,fb,7a,f7,c7,65,3e,b4,a7,ab,84,5f,0f,\
"7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88,
02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,91,e8,a9,4b,f4,c5,51,
df,c7,9b,39,cf,09,f9,b0,9b,10,f6,18,b0,22,31,fd,a3,67,24,f4,8c,ca,19,d4,2d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:4a,66,bd,2b,3e,e3,ae,b4,5b,71,2a,f9,7e,6a,5d,8b,07,65,be,98,68,bb,04,
44,0e,d7,e0,8e,58,1d,ba,76,47,80,49,e9,30,81,98,37,2b,48,22,65,d7,e1,a0,63,\
"13"=hex:aa,9a,a2,a5,ce,a8,50,46,d1,e3,dd,f8,22,5a,1e,b1,51,ba,10,d2,7e,44,ae,
40
"14"=hex:0d,f5,4e,44,fe,9e,11,67,d4,ec,25,e7,d8,da,e7,24
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:e4,2b,41,da,5f,98,c6,e4,f7,26,c5,2d,6a,ad,c4,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:95,ae,9c,0b,10,65,e0,6d,c5,ff,cb,cb,91,21,23,6a,84,a7,40,0c,a0,f1,21,
da,cd,f9,5b,4a,48,d0,74,2b,08,55,af,f1,65,ca,d6,cc,3f,55,f9,2b,28,e3,3f,42,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50]
"1"=hex:55,71,d5,88,d4,e8,c4,23,86,c5,84,77,3a,01,80,8c
"2"=hex:e7,27,cf,42,f4,44,fe,c6,7c,92,71,43,d3,fc,2b,88,fa,d9,fe,5d,52,9c,ef,
9a,2a,6d,72,a6,74,ac,7c,c2
"3"=hex:55,71,d5,88,d4,e8,c4,23,fd,b6,60,5b,fa,86,28,a7,15,7e,26,7e,15,53,b1,
53,45,c5,e4,e2,cb,6f,56,41,9f,13,40,18,4a,19,41,af,82,2c,15,9b,68,3b,4e,c0

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50\A9E17DC1A54D1D28BB40F338A2C6273E]
"1"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"2"=hex:81,20,8f,ab,28,6a,52,9c
"3"=hex:87,1f,59,45,40,da,a4,c5,91,de,15,84,2b,ca,f5,94,d5,07,a5,30,cb,fc,db,
cc,62,de,d8,79,b8,1e,4c,e7,71,0b,a9,da,2e,56,c8,fc,5c,47,99,4b,75,ad,f3,da,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,c2,b5,a5,be,18,5e,8d,12,a5,96,30,c8,e8,9b,a0,07,34,11,26,76,4a,05,43,f8,\
"7"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,65,47,71,48,e9,1d,9d,
ae,8d,a8,42,08,32,10,f7,67,cf,df,52,86,31,35,e0,07,c7,f4,11,f0,ed,74,e2,7b,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:71,95,af,43,b6,e1,51,7d,59,2f,07,87,28,05,1b,73,fd,9a,8d,a5,8c,c0,c2,
36,0b,3b,15,71,28,e8,88,76,13,93,5d,3f,9c,c1,ab,1c,db,da,1a,93,ef,e9,d6,0f,\
"13"=hex:5b,84,89,5b,ba,11,4a,5f,96,62,ca,90,98,f3,4d,87,23,19,c7,23,04,04,ef,
ca
"14"=hex:a6,c1,97,cd,4d,ca,f1,2d
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:22,dd,7c,10,98,33,8b,90,d8,fb,9b,ce,16,2b,c4,da
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:a5,23,c5,b8,9c,00,4f,3d,c0,1b,6a,00,c4,9a,e8,a1,8f,e5,b3,f1,7b,28,b0,
c2,eb,ca,cb,c3,45,53,66,44,cc,a2,80,11,10,b1,71,9c,cc,4d,62,bc,14,73,ff,89,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:2b,1e,37,e0,35,c7,e6,a0,02,06,4a,d2,f9,de,16,67,13,28,eb,c2,c2,f7,7b,
f6,90,da,1b,29,84,e1,3b,09,86,4a,ff,5e,f4,7d,6f,f4,f6,4e,63,ab,7b,74,f7,88,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,0b,6a,8c,ca,2a,b0,fe,b3,4b,64,48,ea,1f,44,5e,dc,e9,a1,c1,1e,2b,ba,8b,4e,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:77,bc,13,29,9f,9c,34,66,6d,8d,9c,52,39,98,56,41,0f,24,fd,e7,8b,6b,33,
7a,2d,ff,f8,48,1f,a2,57,90,ef,47,22,88,2b,d3,33,b6,3e,d9,0c,67,31,7a,88,51,\
"13"=hex:22,9a,a0,8a,99,25,cd,54,16,0e,25,20,b9,e7,7a,6c,48,95,33,00,4d,78,74,
ee
"14"=hex:84,23,eb,9e,98,3e,c4,f1
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:09,80,c9,00,a2,44,18,10,af,17,a7,6c,ea,cc,38,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:0e,ea,2d,bb,5d,b5,0c,6b,b2,d7,fa,1a,6b,29,25,3e,55,a3,38,5a,53,b5,90,
9d,bf,e4,08,f2,7c,35,83,18,04,fe,ca,1c,e1,54,71,5a,63,b9,e5,a6,ae,1d,41,14,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\A28FC91DA48F2E633FEBC5F75796F7EE]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:af,de,e1,d4,71,84,6f,cd
"3"=hex:09,8d,f5,34,e1,70,2a,63,2c,07,e0,78,06,f7,5e,dd,c3,63,73,e6,0d,02,c0,
2a,9d,a4,bd,91,20,48,d9,51,c6,cf,6e,fb,41,cf,0d,31,b2,b7,8c,67,aa,3e,a3,2c,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,c2,7a,22,37,ea,ed,a9,12,3e,e1,c8,dc,28,3e,46,e1,6b,10,d1,0d,d2,c1,3b,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,fc,f4,86,ed,7d,07,89,29,2f,7f,fa,55,aa,50,20,7e,7c,e5,f7,a8,05,d7,35,13,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,7c,7d,f4,ce,d2,6a,7b,dc,17,5e,ef,6a,af,ce,b7,cf,19,e5,d3,63,2b,de,
b2,1b,eb,c8,e2,74,0f,84,31,2a,6c,53,f2,37,3c,7a,cb,bf,e9,5c,8e,05,17,1e,9a,\
"13"=hex:00,bc,d6,1e,98,8e,6a,72,40,e9,89,6e,83,ef,21,75,a4,9a,a5,af,e5,a4,a6,
be
"14"=hex:3b,71,c6,44,4a,52,dd,47
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:21,0a,5d,5c,36,be,a2,8f,a9,23,a9,31,d0,87,25,c4,8a,c4,54,dc,93,d4,85,
d4,6c,1f,91,37,40,00,71,30,eb,71,60,64,16,e9,f9,8b,de,c7,20,aa,75,94,db,d3,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\D580A8CFDA60E9362F91B6F863D46379]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:11,b7,bf,c5,fa,e2,5a,47
"3"=hex:5e,c3,3e,f4,0e,4e,d8,1f,83,0f,ff,13,6f,59,60,1a,0f,67,17,22,b3,ec,cf,
73,cc,a4,59,87,f0,ab,8f,63,ef,cf,1a,ca,c2,98,36,17,38,8f,aa,db,7d,2d,aa,69,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,30,ee,8f,52,62,66,50,ce,77,e9,c4,12,3a,ea,b5,46,6c,fa,23,06,2c,2a,16,61,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,04,de,29,1c,d1,59,b3,b5,1c,3a,e8,07,ed,d8,08,6e,a7,52,c4,be,fd,58,1e,61,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:08,bd,be,29,09,18,43,cd,05,b7,9e,4b,a9,f3,2a,fe,a9,ce,c7,03,44,37,91,
12,b1,ee,89,fa,22,82,7e,00,e8,3f,53,04,44,46,6f,86,99,93,51,48,e0,56,93,2d,\
"13"=hex:67,53,eb,5d,55,f8,36,ba,2f,b6,0d,72,df,41,94,a3,48,26,12,04,dd,b4,ff,
a6
"14"=hex:6b,51,bd,2b,8f,5b,c4,81
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:42,75,fd,54,f0,25,a2,b9,12,04,2a,fa,4c,4c,3f,42,96,50,8e,01,00,f6,27,
ca,eb,d1,7d,77,e0,ad,84,1b,86,a2,54,56,ed,b3,d7,21,3f,6b,bf,e5,5a,50,48,66,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\DBF31101A5C3B93315CBBEA90ED13257]
"1"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,c1,ed,7b,62,a7,87,bb,89
"2"=hex:c6,d7,96,b5,5f,fa,3f,77
"3"=hex:23,9d,2a,bf,fb,1d,18,8d,e7,93,09,5f,ef,6f,a2,f8,00,10,47,c7,b0,0e,5e,
97,4b,65,0c,71,bf,0e,eb,de,f5,85,03,72,3d,0e,4a,fe,82,c0,17,e9,04,f2,f2,4f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,38,a0,6c,90,31,db,5a,af,1a,99,07,f1,ef,d1,93,a4,80,fd,34,8b,e9,c5,e1,a0,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,86,f4,fe,cb,ec,d3,4e,
4c,1b,ae,32,7d,1e,63,9b,e8,91,4b,74,fd,63,b1,f5,71
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,61,a7,7c,10,da,a6,a3,1d,23,c1,6d,4d,ad,b3,06,fc,7f,ad,60,e3,19,49,
dc,99,21,3b,e6,af,cf,db,28,48,06,88,26,53,8a,67,bf,bb,9f,67,60,c6,96,08,c3,\
"13"=hex:e7,e5,ed,0c,06,af,5e,17,8d,21,90,f2,60,2e,a0,a9,dc,7c,28,83,f6,20,99,
08
"14"=hex:79,6a,b1,0b,fb,82,9f,17
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:89,98,f4,25,5a,d8,6b,49,3a,d6,99,69,46,be,b6,50
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:88,ae,b0,68,9e,b4,9b,4e,98,0b,07,cc,24,e0,4a,45,e3,40,22,88,40,5d,1e,
9b,77,fa,7a,85,ea,fc,8e,84,61,f6,bd,3b,45,cf,2f,47,fb,e1,df,43,6d,5a,83,21,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(344)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3848)
c:\windows\system32\WININET.dll
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\windows\system32\taskmgr.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-04-03 21:14:45 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 01:14

Pre-Run: 43,739,136,000 bytes free
Post-Run: 43,858,362,368 bytes free

- - End Of File - - F4F305B1383ACDBD6FC011FA0524C4B0


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 04 April 2010 - 09:07 AM

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/t/306738/vundosecurity-guard-issuessystem-performance-problems/?p=1699444
  • Click Browse and select the c:\windows\system32\koyifufe.dll
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.






Please do the same for the following file:

c:\windows\system32\numisufe.dll
.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 04 April 2010 - 02:46 PM

I've seen both of those files reported in the above logs, but I don't see either of them in my C:\windows\system32 folder. I have "show hidden files" set in my explorer options, and I haven't been running anything else during this process(I've mostly kept this PC powered down in fact). Any ideas? Thanks again!

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 04 April 2010 - 04:44 PM

It's OK, the files appear to be bad I just wanted them uploaded to take a look. We can see the one file numisufe.dll in the link from Prevx below(look under aliases) and the other file was created close to the same time and is the exact same size plus it looks like a Vundo file anyway from the way it is named.


http://www.prevx.com/filenames/68884276012...BOKUZU.DLL.html





Special ComboFix script made for this computer only

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
collect::
c:\windows\system32\koyifufe.dll
c:\windows\system32\numisufe.dll


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 04 April 2010 - 05:31 PM

Here is the latest log. I notice that Security Guard is not listed as an antivirus program anymore, hopefully that is a good thing!

ComboFix 10-04-03.02 - Administrator 04/04/2010 18:00:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1414 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: FortiClient Personal Firewall *disabled* {528CB157-D384-4593-AAAA-E42DFF111CED}
* Created a new restore point

file zipped: c:\windows\system32\koyifufe.dll
file zipped: c:\windows\system32\numisufe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\koyifufe.dll
c:\windows\system32\numisufe.dll
c:\windows\TEMP\12.tmp

.
((((((((((((((((((((((((( Files Created from 2010-03-04 to 2010-04-04 )))))))))))))))))))))))))))))))
.

2010-04-02 07:51 . 2010-04-02 07:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-04-02 02:22 . 2010-04-02 02:22 -------- d-----w- c:\program files\Trend Micro
2010-04-02 00:52 . 2010-04-02 00:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\JRE
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-01 19:27 . 2010-04-01 19:32 -------- d-----w- c:\program files\malwarecleaner
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGGDAD
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\347a36a
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-30 17:51 . 2010-03-30 17:51 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-30 17:51 . 2010-03-30 17:51 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-30 17:51 . 2010-03-30 17:51 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-30 17:51 . 2010-03-30 17:51 -------- d-----w- c:\windows\system32\LogFiles
2010-03-30 17:07 . 2010-03-30 17:07 -------- d-----w- c:\program files\EA Games
2010-03-13 18:57 . 2010-03-13 18:57 -------- d-----w- c:\program files\PokerShortcuts
2010-03-13 18:54 . 2010-03-13 18:54 -------- d-----w- c:\program files\FT Table Opener
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In_The_Money_LLC
2010-03-12 20:32 . 2010-03-16 15:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In The Money
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\program files\In The Money
2010-03-12 17:33 . 2010-03-12 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache
2010-03-10 18:25 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 01:52 . 2010-03-07 01:55 -------- d-----w- c:\program files\Heroes of Newerth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 22:16 . 2007-03-29 17:02 8129 --sha-w- c:\windows\system32\mmf.sys
2010-04-04 00:40 . 2010-04-04 00:39 -------- d-----w- c:\program files\Norton PC Checkup
2010-04-04 00:39 . 2010-04-04 00:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-02 00:53 . 2006-10-23 20:41 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 00:44 . 2009-09-18 12:13 -------- d-----w- c:\program files\Cryptic Studios
2010-04-02 00:43 . 2008-04-05 08:54 -------- d-----w- c:\program files\Cake Poker
2010-04-02 00:33 . 2008-03-04 14:09 -------- d-----w- c:\program files\OpenOffice.org 2.3
2010-04-02 00:29 . 2007-04-10 04:53 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 00:28 . 2009-01-05 03:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 00:28 . 2007-04-10 04:53 -------- d-----w- c:\program files\Java
2010-04-01 21:20 . 2009-10-18 23:20 -------- d-----w- c:\program files\NCSoft
2010-04-01 19:25 . 2009-02-26 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 19:23 . 2008-12-11 17:41 -------- d-----w- c:\program files\CCleaner
2010-04-01 18:31 . 2007-01-03 02:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 04:54 . 2009-06-19 07:31 2352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2010-03-30 16:17 . 2008-03-04 14:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2010-03-29 19:24 . 2009-02-26 17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24 . 2009-02-26 17:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-19 22:31 . 2007-12-31 21:10 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-16 14:53 . 2007-08-15 02:06 -------- d-----w- c:\program files\PokerStove
2010-03-05 17:49 . 2009-10-13 19:45 -------- d-----w- c:\program files\Windows Grep
2010-02-23 04:11 . 2007-08-16 01:30 -------- d-----w- c:\program files\mIRC
2010-02-18 02:13 . 2009-08-01 03:51 33780 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-17 08:35 . 2009-01-23 14:50 -------- d-----w- c:\program files\Digsby
2010-02-13 20:22 . 2009-12-13 01:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-12 01:19 . 2009-01-17 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-05 10:00 . 2006-03-15 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2006-03-15 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2006-03-15 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-14 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"FortiClient"="c:\program files\Fortinet\FortiClient\FortiClient.exe" [2007-08-24 1477240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-18 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"wewamibovi"="ladokijo.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11g Wireless LAN PCI Card Utility.lnk - c:\program files\Nonbrand\802.11g Wireless LAN PCI Card Driver and Utility\RtWlan.exe [2007-12-26 5856256]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-2-8 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 21:43 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 22:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2010-04-01 21:18 38184 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-04 00:21 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-18 01:58 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-03-01 23:11 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\vsjitdebugger.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=
"c:\\Riot Games\\League of Legends\\lol.launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"6949:TCP"= 6949:TCP:League of Legends Launcher
"6949:UDP"= 6949:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"6960:TCP"= 6960:TCP:League of Legends Launcher
"6960:UDP"= 6960:UDP:League of Legends Launcher
"8393:TCP"= 8393:TCP:League of Legends Lobby
"8393:UDP"= 8393:UDP:League of Legends Lobby
"8390:TCP"= 8390:TCP:League of Legends Game Client
"8390:UDP"= 8390:UDP:League of Legends Game Client
"6888:TCP"= 6888:TCP:League of Legends Launcher
"6888:UDP"= 6888:UDP:League of Legends Launcher

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [8/24/2007 10:51 AM 14240]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [8/24/2007 10:51 AM 120992]
R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [8/24/2007 10:51 AM 96928]
R2 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [8/24/2007 10:52 AM 18464]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/29/2007 1:02 PM 2560]
R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [8/24/2007 10:51 AM 22176]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [8/24/2007 10:51 AM 14496]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/8/2009 11:50 PM 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/26/2009 1:51 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe [9/17/2007 9:09 AM 79948]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-04 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-04 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1715567821-839522115-500Core1ca5ce4d839abbc.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

2010-04-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]

2010-04-04 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{12e4c792-fdc7-4f3d-aedf-de0a9fd23362} - koyifufe.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 18:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ab,ca,02,f8,e7,2a,01,d1,8a,4a,41,9b,7a,3b,74,f8,ab,b3,51,2f,61,eb,58,
16,68,3a,66,a8,a8,fc,85,b5,2e,60,48,3e,51,ec,13,67,7f,b7,18,75,23,0d,18,ef,\
"??"=hex:b4,4c,8a,71,ca,c2,3e,50,74,2a,17,d9,e4,fc,78,6d

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\License information*]
"datasecu"=hex:4e,ab,e1,f1,69,6b,51,01,c1,fb,02,ce,ad,98,fa,7c,9c,ea,9a,57,7b,
6a,8d,84,d2,9e,29,7e,1a,00,d0,e3,a4,6b,b7,f6,5f,1a,fe,31,8c,ed,65,07,fe,21,\
"rkeysecu"=hex:4d,44,3d,e7,98,25,95,32,01,50,1e,b5,58,e6,c6,bb

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847]
"1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9,
e9
"2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8,
df,a0,cb,29,a7,07,62,23,54
"3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29,
0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\CC7B909C85BC507A2CDBC39B09A1A69B]
"1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,3c,a9,5c,7c,76,d5,a4,ad
"2"=hex:14,54,0e,5b,8d,87,00,e8
"3"=hex:6e,5a,42,7e,10,9e,69,5d,11,e9,d0,bd,73,61,2b,91,80,24,74,31,1e,1a,d1,
52,26,96,d5,64,db,f4,41,b6,d7,3e,22,d8,f6,51,5a,c7,dc,06,e9,89,14,5d,dc,99,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,a1,90,f0,ac,fb,7a,f7,c7,65,3e,b4,a7,ab,84,5f,0f,\
"7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88,
02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,91,e8,a9,4b,f4,c5,51,
df,c7,9b,39,cf,09,f9,b0,9b,10,f6,18,b0,22,31,fd,a3,67,24,f4,8c,ca,19,d4,2d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:4a,66,bd,2b,3e,e3,ae,b4,5b,71,2a,f9,7e,6a,5d,8b,07,65,be,98,68,bb,04,
44,0e,d7,e0,8e,58,1d,ba,76,47,80,49,e9,30,81,98,37,2b,48,22,65,d7,e1,a0,63,\
"13"=hex:aa,9a,a2,a5,ce,a8,50,46,d1,e3,dd,f8,22,5a,1e,b1,51,ba,10,d2,7e,44,ae,
40
"14"=hex:0d,f5,4e,44,fe,9e,11,67,d4,ec,25,e7,d8,da,e7,24
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:e4,2b,41,da,5f,98,c6,e4,f7,26,c5,2d,6a,ad,c4,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:95,ae,9c,0b,10,65,e0,6d,c5,ff,cb,cb,91,21,23,6a,84,a7,40,0c,a0,f1,21,
da,cd,f9,5b,4a,48,d0,74,2b,08,55,af,f1,65,ca,d6,cc,3f,55,f9,2b,28,e3,3f,42,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50]
"1"=hex:55,71,d5,88,d4,e8,c4,23,86,c5,84,77,3a,01,80,8c
"2"=hex:e7,27,cf,42,f4,44,fe,c6,7c,92,71,43,d3,fc,2b,88,fa,d9,fe,5d,52,9c,ef,
9a,2a,6d,72,a6,74,ac,7c,c2
"3"=hex:55,71,d5,88,d4,e8,c4,23,fd,b6,60,5b,fa,86,28,a7,15,7e,26,7e,15,53,b1,
53,45,c5,e4,e2,cb,6f,56,41,9f,13,40,18,4a,19,41,af,82,2c,15,9b,68,3b,4e,c0

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50\A9E17DC1A54D1D28BB40F338A2C6273E]
"1"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"2"=hex:81,20,8f,ab,28,6a,52,9c
"3"=hex:87,1f,59,45,40,da,a4,c5,91,de,15,84,2b,ca,f5,94,d5,07,a5,30,cb,fc,db,
cc,62,de,d8,79,b8,1e,4c,e7,71,0b,a9,da,2e,56,c8,fc,5c,47,99,4b,75,ad,f3,da,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,c2,b5,a5,be,18,5e,8d,12,a5,96,30,c8,e8,9b,a0,07,34,11,26,76,4a,05,43,f8,\
"7"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,65,47,71,48,e9,1d,9d,
ae,8d,a8,42,08,32,10,f7,67,cf,df,52,86,31,35,e0,07,c7,f4,11,f0,ed,74,e2,7b,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:71,95,af,43,b6,e1,51,7d,59,2f,07,87,28,05,1b,73,fd,9a,8d,a5,8c,c0,c2,
36,0b,3b,15,71,28,e8,88,76,13,93,5d,3f,9c,c1,ab,1c,db,da,1a,93,ef,e9,d6,0f,\
"13"=hex:5b,84,89,5b,ba,11,4a,5f,96,62,ca,90,98,f3,4d,87,23,19,c7,23,04,04,ef,
ca
"14"=hex:a6,c1,97,cd,4d,ca,f1,2d
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:22,dd,7c,10,98,33,8b,90,d8,fb,9b,ce,16,2b,c4,da
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:a5,23,c5,b8,9c,00,4f,3d,c0,1b,6a,00,c4,9a,e8,a1,8f,e5,b3,f1,7b,28,b0,
c2,eb,ca,cb,c3,45,53,66,44,cc,a2,80,11,10,b1,71,9c,cc,4d,62,bc,14,73,ff,89,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:2b,1e,37,e0,35,c7,e6,a0,02,06,4a,d2,f9,de,16,67,13,28,eb,c2,c2,f7,7b,
f6,90,da,1b,29,84,e1,3b,09,86,4a,ff,5e,f4,7d,6f,f4,f6,4e,63,ab,7b,74,f7,88,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,0b,6a,8c,ca,2a,b0,fe,b3,4b,64,48,ea,1f,44,5e,dc,e9,a1,c1,1e,2b,ba,8b,4e,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:77,bc,13,29,9f,9c,34,66,6d,8d,9c,52,39,98,56,41,0f,24,fd,e7,8b,6b,33,
7a,2d,ff,f8,48,1f,a2,57,90,ef,47,22,88,2b,d3,33,b6,3e,d9,0c,67,31,7a,88,51,\
"13"=hex:22,9a,a0,8a,99,25,cd,54,16,0e,25,20,b9,e7,7a,6c,48,95,33,00,4d,78,74,
ee
"14"=hex:84,23,eb,9e,98,3e,c4,f1
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:09,80,c9,00,a2,44,18,10,af,17,a7,6c,ea,cc,38,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:0e,ea,2d,bb,5d,b5,0c,6b,b2,d7,fa,1a,6b,29,25,3e,55,a3,38,5a,53,b5,90,
9d,bf,e4,08,f2,7c,35,83,18,04,fe,ca,1c,e1,54,71,5a,63,b9,e5,a6,ae,1d,41,14,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\A28FC91DA48F2E633FEBC5F75796F7EE]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:af,de,e1,d4,71,84,6f,cd
"3"=hex:09,8d,f5,34,e1,70,2a,63,2c,07,e0,78,06,f7,5e,dd,c3,63,73,e6,0d,02,c0,
2a,9d,a4,bd,91,20,48,d9,51,c6,cf,6e,fb,41,cf,0d,31,b2,b7,8c,67,aa,3e,a3,2c,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,c2,7a,22,37,ea,ed,a9,12,3e,e1,c8,dc,28,3e,46,e1,6b,10,d1,0d,d2,c1,3b,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,fc,f4,86,ed,7d,07,89,29,2f,7f,fa,55,aa,50,20,7e,7c,e5,f7,a8,05,d7,35,13,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,7c,7d,f4,ce,d2,6a,7b,dc,17,5e,ef,6a,af,ce,b7,cf,19,e5,d3,63,2b,de,
b2,1b,eb,c8,e2,74,0f,84,31,2a,6c,53,f2,37,3c,7a,cb,bf,e9,5c,8e,05,17,1e,9a,\
"13"=hex:00,bc,d6,1e,98,8e,6a,72,40,e9,89,6e,83,ef,21,75,a4,9a,a5,af,e5,a4,a6,
be
"14"=hex:3b,71,c6,44,4a,52,dd,47
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:21,0a,5d,5c,36,be,a2,8f,a9,23,a9,31,d0,87,25,c4,8a,c4,54,dc,93,d4,85,
d4,6c,1f,91,37,40,00,71,30,eb,71,60,64,16,e9,f9,8b,de,c7,20,aa,75,94,db,d3,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\D580A8CFDA60E9362F91B6F863D46379]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:11,b7,bf,c5,fa,e2,5a,47
"3"=hex:5e,c3,3e,f4,0e,4e,d8,1f,83,0f,ff,13,6f,59,60,1a,0f,67,17,22,b3,ec,cf,
73,cc,a4,59,87,f0,ab,8f,63,ef,cf,1a,ca,c2,98,36,17,38,8f,aa,db,7d,2d,aa,69,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,30,ee,8f,52,62,66,50,ce,77,e9,c4,12,3a,ea,b5,46,6c,fa,23,06,2c,2a,16,61,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,04,de,29,1c,d1,59,b3,b5,1c,3a,e8,07,ed,d8,08,6e,a7,52,c4,be,fd,58,1e,61,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:08,bd,be,29,09,18,43,cd,05,b7,9e,4b,a9,f3,2a,fe,a9,ce,c7,03,44,37,91,
12,b1,ee,89,fa,22,82,7e,00,e8,3f,53,04,44,46,6f,86,99,93,51,48,e0,56,93,2d,\
"13"=hex:67,53,eb,5d,55,f8,36,ba,2f,b6,0d,72,df,41,94,a3,48,26,12,04,dd,b4,ff,
a6
"14"=hex:6b,51,bd,2b,8f,5b,c4,81
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:42,75,fd,54,f0,25,a2,b9,12,04,2a,fa,4c,4c,3f,42,96,50,8e,01,00,f6,27,
ca,eb,d1,7d,77,e0,ad,84,1b,86,a2,54,56,ed,b3,d7,21,3f,6b,bf,e5,5a,50,48,66,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\DBF31101A5C3B93315CBBEA90ED13257]
"1"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,c1,ed,7b,62,a7,87,bb,89
"2"=hex:c6,d7,96,b5,5f,fa,3f,77
"3"=hex:23,9d,2a,bf,fb,1d,18,8d,e7,93,09,5f,ef,6f,a2,f8,00,10,47,c7,b0,0e,5e,
97,4b,65,0c,71,bf,0e,eb,de,f5,85,03,72,3d,0e,4a,fe,82,c0,17,e9,04,f2,f2,4f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,38,a0,6c,90,31,db,5a,af,1a,99,07,f1,ef,d1,93,a4,80,fd,34,8b,e9,c5,e1,a0,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,86,f4,fe,cb,ec,d3,4e,
4c,1b,ae,32,7d,1e,63,9b,e8,91,4b,74,fd,63,b1,f5,71
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,61,a7,7c,10,da,a6,a3,1d,23,c1,6d,4d,ad,b3,06,fc,7f,ad,60,e3,19,49,
dc,99,21,3b,e6,af,cf,db,28,48,06,88,26,53,8a,67,bf,bb,9f,67,60,c6,96,08,c3,\
"13"=hex:e7,e5,ed,0c,06,af,5e,17,8d,21,90,f2,60,2e,a0,a9,dc,7c,28,83,f6,20,99,
08
"14"=hex:79,6a,b1,0b,fb,82,9f,17
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:89,98,f4,25,5a,d8,6b,49,3a,d6,99,69,46,be,b6,50
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:88,ae,b0,68,9e,b4,9b,4e,98,0b,07,cc,24,e0,4a,45,e3,40,22,88,40,5d,1e,
9b,77,fa,7a,85,ea,fc,8e,84,61,f6,bd,3b,45,cf,2f,47,fb,e1,df,43,6d,5a,83,21,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(344)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\TortoiseSVN\bin\tortoisesvn.dll
c:\program files\TortoiseSVN\bin\intl3_svn.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
c:\program files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\documents and settings\Administrator\Desktop\putty.exe
c:\program files\Ventrilo\Ventrilo.exe
c:\riot games\League of Legends\lol.launcher.exe
c:\riot games\League of Legends\Air\LOLClient.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\taskmgr.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
.
**************************************************************************
.
Completion time: 2010-04-04 18:29:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-04 22:29
ComboFix2.txt 2010-04-04 01:14

Pre-Run: 43,811,901,440 bytes free
Post-Run: 43,599,290,368 bytes free

- - End Of File - - ABE521F321EEA9DBDEB6A199C5631B21


#8 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 04 April 2010 - 05:54 PM

So I hadn't really touched my PC (I have a laptop I've been using) since my first report on Friday, but at least for right now I'm not seeing any issues at all. I was able to get windows Automatic Updates to run for the first time in forever and I was able to start up Visual Studio without it hanging/hosing/crashing on me. Not jumping for joy just yet in case there is still something here that you see that may still be lingering/hiding, but is it possible that Combofix was able to knock out the rest of the issues I was having?

#9 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 04 April 2010 - 06:10 PM

We've put a real big dent in it that's for sure. ComboFix also took care of Security Guard, that's another one of the many things it can accomplish.

We'll run Kaspersky now and see what it shows:




It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#10 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 05 April 2010 - 12:35 PM

Here is the Kaspersky output:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, April 5, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, April 04, 2010 22:48:32
Records in database: 3914064
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Objects scanned: 455817
Threats found: 5
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 06:40:24


File name / Threat / Threats count
C:\Documents and Settings\Administrator\Desktop\TiltBlocker2.exe Infected: Backdoor.Win32.Hupigon.jzkz 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe Infected: Backdoor.Win32.Poison.avej 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe Infected: Backdoor.Win32.Poison.avzz 1
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe Infected: Backdoor.Win32.Poison.auuu 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

Selected area has been scanned.


#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 05 April 2010 - 01:02 PM

If you did not download the mIRC program add the following file to the script inside the quote box before you run it.

C:\Program Files\mIRC\mirc.exe







Special ComboFix script made for this computer only


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs including TeaTimer if you have it so they do not interfere with the running of ComboFix. Instructions for doing so are located here

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\Documents and Settings\Administrator\Desktop\TiltBlocker2.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 05 April 2010 - 06:04 PM

mIRC is the legit IRC client that I have downloaded, so I didn't include it. Here's the latest combofix log:

ComboFix 10-04-04.01 - Administrator 04/05/2010 18:04:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1445 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: FortiClient Personal Firewall *disabled* {528CB157-D384-4593-AAAA-E42DFF111CED}

FILE ::
"c:\documents and settings\Administrator\Desktop\TiltBlocker2.exe"
"c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe"
"c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe"
"c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Desktop\TiltBlocker2.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v1C84EDBD\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v3001F9EE\TheApp\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMImport.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\HMHud.exe

.
((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-02 07:51 . 2010-04-02 07:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org
2010-04-02 02:22 . 2010-04-02 02:22 -------- d-----w- c:\program files\Trend Micro
2010-04-02 00:52 . 2010-04-02 00:52 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\JRE
2010-04-02 00:34 . 2010-04-02 00:34 -------- d-----w- c:\program files\OpenOffice.org 3
2010-04-01 19:27 . 2010-04-01 19:32 -------- d-----w- c:\program files\malwarecleaner
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGGDAD
2010-04-01 16:31 . 2010-04-01 16:31 -------- d-sh--w- c:\documents and settings\All Users\Application Data\347a36a
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-03-30 17:51 . 2010-03-30 17:51 189248 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-03-30 17:51 . 2010-03-30 17:51 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-03-30 17:51 . 2010-03-30 17:51 2407792 ----a-w- c:\windows\system32\pbsvc_heroes.exe
2010-03-30 17:51 . 2010-03-30 17:51 -------- d-----w- c:\windows\system32\LogFiles
2010-03-30 17:07 . 2010-03-30 17:07 -------- d-----w- c:\program files\EA Games
2010-03-13 18:57 . 2010-03-13 18:57 -------- d-----w- c:\program files\PokerShortcuts
2010-03-13 18:54 . 2010-03-13 18:54 -------- d-----w- c:\program files\FT Table Opener
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In_The_Money_LLC
2010-03-12 20:32 . 2010-03-16 15:22 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\In The Money
2010-03-12 20:32 . 2010-03-12 20:32 -------- d-----w- c:\program files\In The Money
2010-03-12 17:33 . 2010-03-12 17:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\cache
2010-03-10 18:25 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2010-03-07 01:52 . 2010-03-07 01:55 -------- d-----w- c:\program files\Heroes of Newerth

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-04 23:04 . 2007-03-29 17:02 8129 --sha-w- c:\windows\system32\mmf.sys
2010-04-04 00:40 . 2010-04-04 00:39 -------- d-----w- c:\program files\Norton PC Checkup
2010-04-04 00:39 . 2010-04-04 00:39 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-04-02 07:51 . 2010-04-02 07:51 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-04-02 00:53 . 2006-10-23 20:41 37952 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-02 00:44 . 2009-09-18 12:13 -------- d-----w- c:\program files\Cryptic Studios
2010-04-02 00:43 . 2008-04-05 08:54 -------- d-----w- c:\program files\Cake Poker
2010-04-02 00:33 . 2008-03-04 14:09 -------- d-----w- c:\program files\OpenOffice.org 2.3
2010-04-02 00:29 . 2007-04-10 04:53 -------- d-----w- c:\program files\Common Files\Java
2010-04-02 00:28 . 2009-01-05 03:40 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-02 00:28 . 2007-04-10 04:53 -------- d-----w- c:\program files\Java
2010-04-01 21:20 . 2009-10-18 23:20 -------- d-----w- c:\program files\NCSoft
2010-04-01 19:25 . 2009-02-26 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 19:23 . 2008-12-11 17:41 -------- d-----w- c:\program files\CCleaner
2010-04-01 18:31 . 2007-01-03 02:09 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 04:54 . 2009-06-19 07:31 2352 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2010-03-30 17:51 . 2010-03-30 17:51 138056 ----a-w- c:\documents and settings\Administrator\Application Data\PnkBstrK.sys
2010-03-30 16:17 . 2008-03-04 14:11 -------- d-----w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2
2010-03-29 19:24 . 2009-02-26 17:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 19:24 . 2009-02-26 17:51 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 17:19 . 2010-04-01 16:31 458200 ----a-w- c:\documents and settings\All Users\Application Data\347a36a\sqlite3.dll
2010-03-26 17:19 . 2010-04-01 16:31 718296 ----a-w- c:\documents and settings\All Users\Application Data\347a36a\mozcrt19.dll
2010-03-19 22:31 . 2007-12-31 21:10 -------- d-----w- c:\program files\Full Tilt Poker
2010-03-16 14:53 . 2007-08-15 02:06 -------- d-----w- c:\program files\PokerStove
2010-03-15 21:59 . 2010-03-15 21:59 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-03-15 09:51 . 2009-11-11 02:07 79488 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-03-11 12:38 . 2006-03-15 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2006-03-15 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2006-03-15 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-05 17:49 . 2009-10-13 19:45 -------- d-----w- c:\program files\Windows Grep
2010-02-26 17:00 . 2010-03-30 17:06 724992 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2010-02-26 17:00 . 2010-03-30 17:06 1291640 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2010-02-26 03:43 . 2008-03-04 14:12 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2010-02-23 04:11 . 2007-08-16 01:30 -------- d-----w- c:\program files\mIRC
2010-02-18 02:13 . 2009-08-01 03:51 33780 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-17 08:35 . 2009-01-23 14:50 -------- d-----w- c:\program files\Digsby
2010-02-13 20:22 . 2009-12-13 01:21 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-02-13 20:22 . 2009-12-13 01:21 38784 ----a-w- c:\documents and settings\Administrator\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-13 20:22 . 2009-12-13 01:21 38784 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2010-02-12 01:19 . 2009-01-17 10:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2010-01-06 17:08 . 2010-01-09 16:45 4726272 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\libs\cooliris190.dll
2010-01-06 17:08 . 2010-01-09 16:45 103424 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\libs\pixomatic.dll
2010-01-06 17:08 . 2010-01-09 16:45 57856 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
2010-01-06 17:08 . 2010-01-09 16:45 545280 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\libs\PicLensHelper.exe
2010-01-06 17:08 . 2010-01-09 16:45 4725760 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\libs\cooliris192.dll
2010-01-06 17:08 . 2010-01-09 16:45 344064 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\libs\LaunchCooliris.exe
2010-01-06 17:08 . 2010-01-09 16:45 153600 ----a-w- c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-14 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"FortiClient"="c:\program files\Fortinet\FortiClient\FortiClient.exe" [2007-08-24 1477240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-08-18 185632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-02-21 1093208]
"wewamibovi"="ladokijo.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
802.11g Wireless LAN PCI Card Utility.lnk - c:\program files\Nonbrand\802.11g Wireless LAN PCI Card Driver and Utility\RtWlan.exe [2007-12-26 5856256]
VPN Client.lnk - c:\windows\Installer\{51FB15F4-AD27-43BC-AD4B-DD0354FB6BBD}\Icon3E5562ED7.ico [2009-2-8 6144]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 11:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2004-08-10 11:04 59392 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-02 21:43 133104 ----atw- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 22:21 61952 ------w- c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-03-30 14:36 267048 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NCsoft Launcher]
2010-04-01 21:18 38184 ----a-w- c:\program files\NCSoft\Launcher\NCLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2009-11-04 00:21 1217808 ----a-w- c:\program files\Steam\steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-08-18 01:58 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2007-03-01 23:11 4670968 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Fortinet\\FortiClient\\ipsec.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Turbine\\The Lord of the Rings Online\\lotroclient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\mount and blade\\runme.exe"=
"c:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMax4.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\WINDOWS\\system32\\vsjitdebugger.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Security Essentials\\msseces.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Program Files\\Microsoft Visual Studio 9.0\\Common7\\IDE\\devenv.exe"=
"c:\\WINDOWS\\system32\\wscntfy.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"8373:TCP"= 8373:TCP:League of Legends Launcher
"8373:UDP"= 8373:UDP:League of Legends Launcher
"8374:TCP"= 8374:TCP:League of Legends Launcher
"8374:UDP"= 8374:UDP:League of Legends Launcher
"8375:TCP"= 8375:TCP:League of Legends Launcher
"8375:UDP"= 8375:UDP:League of Legends Launcher
"6949:TCP"= 6949:TCP:League of Legends Launcher
"6949:UDP"= 6949:UDP:League of Legends Launcher
"8376:TCP"= 8376:TCP:League of Legends Launcher
"8376:UDP"= 8376:UDP:League of Legends Launcher
"6960:TCP"= 6960:TCP:League of Legends Launcher
"6960:UDP"= 6960:UDP:League of Legends Launcher

R1 Fortigen;Fortigen;c:\windows\system32\drivers\fortigen.sys [8/24/2007 10:51 AM 14240]
R1 FortiPFW;FortiPFW;c:\windows\system32\drivers\fortipfw.sys [8/24/2007 10:51 AM 120992]
R2 Fortips;Fortips;c:\windows\system32\drivers\fortips.sys [8/24/2007 10:51 AM 96928]
R2 FortiRdr;FortiRdr;c:\windows\system32\drivers\FortiRdr.sys [8/24/2007 10:52 AM 18464]
R3 Fortidrv2;FortiNet Fortidrv Service;c:\windows\system32\drivers\fortidrv.sys [8/24/2007 10:51 AM 22176]
R3 ft_vnic;Fortinet network virtual adapter;c:\windows\system32\drivers\ftvnic.sys [8/24/2007 10:51 AM 14496]
S2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [3/29/2007 1:02 PM 2560]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [11/8/2009 11:50 PM 25832]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2/26/2009 1:51 PM 38224]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pgsql-8.2;PostgreSQL Database Server 8.2;c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe [9/17/2007 9:09 AM 79948]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
.
Contents of the 'Scheduled Tasks' folder

2010-04-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-04-04 c:\windows\Tasks\At1.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-04 c:\windows\Tasks\At2.job
- c:\program files\norton pc checkup\pc_checkup.exe [2008-06-29 21:50]

2010-04-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-1715567821-839522115-500Core1ca5ce4d839abbc.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

2010-04-04 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-12-09 22:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://hometab.bellsouth.net/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://espn.go.com/
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\3bpgapea.default\extensions\piclens@cooliris.com\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-05 18:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:ab,ca,02,f8,e7,2a,01,d1,8a,4a,41,9b,7a,3b,74,f8,ab,b3,51,2f,61,eb,58,
16,68,3a,66,a8,a8,fc,85,b5,2e,60,48,3e,51,ec,13,67,7f,b7,18,75,23,0d,18,ef,\
"??"=hex:b4,4c,8a,71,ca,c2,3e,50,74,2a,17,d9,e4,fc,78,6d

[HKEY_USERS\S-1-5-21-823518204-1715567821-839522115-500\Software\SecuROM\License information*]
"datasecu"=hex:4e,ab,e1,f1,69,6b,51,01,c1,fb,02,ce,ad,98,fa,7c,9c,ea,9a,57,7b,
6a,8d,84,d2,9e,29,7e,1a,00,d0,e3,a4,6b,b7,f6,5f,1a,fe,31,8c,ed,65,07,fe,21,\
"rkeysecu"=hex:4d,44,3d,e7,98,25,95,32,01,50,1e,b5,58,e6,c6,bb

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847]
"1"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,86,2b,9b,9b,f3,96,a9,
e9
"2"=hex:05,83,26,a9,dc,b6,17,45,de,2e,f0,41,a5,95,91,56,fe,07,ca,23,63,6c,c8,
df,a0,cb,29,a7,07,62,23,54
"3"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,39,39,6a,6e,1d,99,29,
0e,9a,9e,61,33,16,37,68,38,ee,25,f6,f1,91,9f,21,a9,58,ec,19,f6,96,30,78,09

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \169D180DB7FE8847\CC7B909C85BC507A2CDBC39B09A1A69B]
"1"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,3c,a9,5c,7c,76,d5,a4,ad
"2"=hex:14,54,0e,5b,8d,87,00,e8
"3"=hex:6e,5a,42,7e,10,9e,69,5d,11,e9,d0,bd,73,61,2b,91,80,24,74,31,1e,1a,d1,
52,26,96,d5,64,db,f4,41,b6,d7,3e,22,d8,f6,51,5a,c7,dc,06,e9,89,14,5d,dc,99,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:6a,02,e3,17,35,aa,4f,41,58,69,23,a3,81,f4,a8,0e,57,fe,fa,3f,01,c1,2c,
1c,5e,e5,91,0b,2f,7e,4c,e7,a1,90,f0,ac,fb,7a,f7,c7,65,3e,b4,a7,ab,84,5f,0f,\
"7"=hex:1a,c6,90,39,73,14,70,4f,c7,99,3b,d6,b3,40,09,16,5c,6c,8a,b0,95,8d,88,
02,5c,f2,b7,9f,8e,b8,9a,b3,47,aa,06,9a,55,51,85,6f,7c,bd,b8,83,41,dc,29,77,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,91,e8,a9,4b,f4,c5,51,
df,c7,9b,39,cf,09,f9,b0,9b,10,f6,18,b0,22,31,fd,a3,67,24,f4,8c,ca,19,d4,2d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:4a,66,bd,2b,3e,e3,ae,b4,5b,71,2a,f9,7e,6a,5d,8b,07,65,be,98,68,bb,04,
44,0e,d7,e0,8e,58,1d,ba,76,47,80,49,e9,30,81,98,37,2b,48,22,65,d7,e1,a0,63,\
"13"=hex:aa,9a,a2,a5,ce,a8,50,46,d1,e3,dd,f8,22,5a,1e,b1,51,ba,10,d2,7e,44,ae,
40
"14"=hex:0d,f5,4e,44,fe,9e,11,67,d4,ec,25,e7,d8,da,e7,24
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:e4,2b,41,da,5f,98,c6,e4,f7,26,c5,2d,6a,ad,c4,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:95,ae,9c,0b,10,65,e0,6d,c5,ff,cb,cb,91,21,23,6a,84,a7,40,0c,a0,f1,21,
da,cd,f9,5b,4a,48,d0,74,2b,08,55,af,f1,65,ca,d6,cc,3f,55,f9,2b,28,e3,3f,42,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50]
"1"=hex:55,71,d5,88,d4,e8,c4,23,86,c5,84,77,3a,01,80,8c
"2"=hex:e7,27,cf,42,f4,44,fe,c6,7c,92,71,43,d3,fc,2b,88,fa,d9,fe,5d,52,9c,ef,
9a,2a,6d,72,a6,74,ac,7c,c2
"3"=hex:55,71,d5,88,d4,e8,c4,23,fd,b6,60,5b,fa,86,28,a7,15,7e,26,7e,15,53,b1,
53,45,c5,e4,e2,cb,6f,56,41,9f,13,40,18,4a,19,41,af,82,2c,15,9b,68,3b,4e,c0

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \501529F2142DBB50\A9E17DC1A54D1D28BB40F338A2C6273E]
"1"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"2"=hex:81,20,8f,ab,28,6a,52,9c
"3"=hex:87,1f,59,45,40,da,a4,c5,91,de,15,84,2b,ca,f5,94,d5,07,a5,30,cb,fc,db,
cc,62,de,d8,79,b8,1e,4c,e7,71,0b,a9,da,2e,56,c8,fc,5c,47,99,4b,75,ad,f3,da,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,c2,b5,a5,be,18,5e,8d,12,a5,96,30,c8,e8,9b,a0,07,34,11,26,76,4a,05,43,f8,\
"7"=hex:80,21,ee,d1,6b,60,09,6f,f8,87,24,43,64,25,4c,aa,b2,18,c8,df,6b,eb,72,
a3,0a,b2,c0,1f,52,da,0b,fb
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,65,47,71,48,e9,1d,9d,
ae,8d,a8,42,08,32,10,f7,67,cf,df,52,86,31,35,e0,07,c7,f4,11,f0,ed,74,e2,7b,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:71,95,af,43,b6,e1,51,7d,59,2f,07,87,28,05,1b,73,fd,9a,8d,a5,8c,c0,c2,
36,0b,3b,15,71,28,e8,88,76,13,93,5d,3f,9c,c1,ab,1c,db,da,1a,93,ef,e9,d6,0f,\
"13"=hex:5b,84,89,5b,ba,11,4a,5f,96,62,ca,90,98,f3,4d,87,23,19,c7,23,04,04,ef,
ca
"14"=hex:a6,c1,97,cd,4d,ca,f1,2d
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:22,dd,7c,10,98,33,8b,90,d8,fb,9b,ce,16,2b,c4,da
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:a5,23,c5,b8,9c,00,4f,3d,c0,1b,6a,00,c4,9a,e8,a1,8f,e5,b3,f1,7b,28,b0,
c2,eb,ca,cb,c3,45,53,66,44,cc,a2,80,11,10,b1,71,9c,cc,4d,62,bc,14,73,ff,89,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,44,f7,88,8f,b5,4c,1b,f9,3e,da,c2,d2,eb,69,77,32,91,02,8c,84,09,5e,d2,d3
"2"=hex:f1,df,16,de,80,08,0e,2a,d1,38,b5,6f,94,ca,dc,d2,b3,e8,d2,40,6c,6f,61,
5e,d2,5e,7f,21,14,b5,b2,29
"3"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,c2,97,86,6a,a5,82,f8,
d5,f2,55,76,c8,bc,53,92,25,3f,d1,b6,bc,00,35,73,43,96,90,79,f6,5b,97,35,47,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\58BBB2CAA762B86BF8228F8849EB5144]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"2"=hex:84,00,a2,e9,a5,84,bc,35
"3"=hex:2b,1e,37,e0,35,c7,e6,a0,02,06,4a,d2,f9,de,16,67,13,28,eb,c2,c2,f7,7b,
f6,90,da,1b,29,84,e1,3b,09,86,4a,ff,5e,f4,7d,6f,f4,f6,4e,63,ab,7b,74,f7,88,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,0b,6a,8c,ca,2a,b0,fe,b3,4b,64,48,ea,1f,44,5e,dc,e9,a1,c1,1e,2b,ba,8b,4e,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,53,74,ea,24,5b,d9,02,83
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:77,bc,13,29,9f,9c,34,66,6d,8d,9c,52,39,98,56,41,0f,24,fd,e7,8b,6b,33,
7a,2d,ff,f8,48,1f,a2,57,90,ef,47,22,88,2b,d3,33,b6,3e,d9,0c,67,31,7a,88,51,\
"13"=hex:22,9a,a0,8a,99,25,cd,54,16,0e,25,20,b9,e7,7a,6c,48,95,33,00,4d,78,74,
ee
"14"=hex:84,23,eb,9e,98,3e,c4,f1
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:09,80,c9,00,a2,44,18,10,af,17,a7,6c,ea,cc,38,6b
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:0e,ea,2d,bb,5d,b5,0c,6b,b2,d7,fa,1a,6b,29,25,3e,55,a3,38,5a,53,b5,90,
9d,bf,e4,08,f2,7c,35,83,18,04,fe,ca,1c,e1,54,71,5a,63,b9,e5,a6,ae,1d,41,14,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\A28FC91DA48F2E633FEBC5F75796F7EE]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:af,de,e1,d4,71,84,6f,cd
"3"=hex:09,8d,f5,34,e1,70,2a,63,2c,07,e0,78,06,f7,5e,dd,c3,63,73,e6,0d,02,c0,
2a,9d,a4,bd,91,20,48,d9,51,c6,cf,6e,fb,41,cf,0d,31,b2,b7,8c,67,aa,3e,a3,2c,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,c2,7a,22,37,ea,ed,a9,12,3e,e1,c8,dc,28,3e,46,e1,6b,10,d1,0d,d2,c1,3b,7d,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,fc,f4,86,ed,7d,07,89,29,2f,7f,fa,55,aa,50,20,7e,7c,e5,f7,a8,05,d7,35,13,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:89,7c,7d,f4,ce,d2,6a,7b,dc,17,5e,ef,6a,af,ce,b7,cf,19,e5,d3,63,2b,de,
b2,1b,eb,c8,e2,74,0f,84,31,2a,6c,53,f2,37,3c,7a,cb,bf,e9,5c,8e,05,17,1e,9a,\
"13"=hex:00,bc,d6,1e,98,8e,6a,72,40,e9,89,6e,83,ef,21,75,a4,9a,a5,af,e5,a4,a6,
be
"14"=hex:3b,71,c6,44,4a,52,dd,47
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:21,0a,5d,5c,36,be,a2,8f,a9,23,a9,31,d0,87,25,c4,8a,c4,54,dc,93,d4,85,
d4,6c,1f,91,37,40,00,71,30,eb,71,60,64,16,e9,f9,8b,de,c7,20,aa,75,94,db,d3,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F3F0046F119EFA4F\D580A8CFDA60E9362F91B6F863D46379]
"1"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,50,94,16,01,b2,17,1a,42
"2"=hex:11,b7,bf,c5,fa,e2,5a,47
"3"=hex:5e,c3,3e,f4,0e,4e,d8,1f,83,0f,ff,13,6f,59,60,1a,0f,67,17,22,b3,ec,cf,
73,cc,a4,59,87,f0,ab,8f,63,ef,cf,1a,ca,c2,98,36,17,38,8f,aa,db,7d,2d,aa,69,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,30,ee,8f,52,62,66,50,ce,77,e9,c4,12,3a,ea,b5,46,6c,fa,23,06,2c,2a,16,61,\
"7"=hex:97,5e,49,d3,7c,a0,18,18,10,c9,e3,e3,c1,ae,57,ed,60,42,a5,db,24,eb,e2,
b0,04,de,29,1c,d1,59,b3,b5,1c,3a,e8,07,ed,d8,08,6e,a7,52,c4,be,fd,58,1e,61,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,6b,8d,dd,0b,84,72,f6,
f2,3d,a6,3c,a0,07,7d,db,f3,88,a8,6c,3f,5c,60,94,94,89,77,0c,65,96,1c,ff,8e,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:08,bd,be,29,09,18,43,cd,05,b7,9e,4b,a9,f3,2a,fe,a9,ce,c7,03,44,37,91,
12,b1,ee,89,fa,22,82,7e,00,e8,3f,53,04,44,46,6f,86,99,93,51,48,e0,56,93,2d,\
"13"=hex:67,53,eb,5d,55,f8,36,ba,2f,b6,0d,72,df,41,94,a3,48,26,12,04,dd,b4,ff,
a6
"14"=hex:6b,51,bd,2b,8f,5b,c4,81
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:7f,de,4b,e6,01,cb,9e,76,1b,9e,eb,28,49,49,81,d7
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:42,75,fd,54,f0,25,a2,b9,12,04,2a,fa,4c,4c,3f,42,96,50,8e,01,00,f6,27,
ca,eb,d1,7d,77,e0,ad,84,1b,86,a2,54,56,ed,b3,d7,21,3f,6b,bf,e5,5a,50,48,66,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB]
"1"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,d6,9f,52,ce,23,dc,1a,
c2
"2"=hex:d1,c8,c3,5e,08,10,b9,8f,1e,fd,a6,7c,f5,6d,b0,f3,a6,71,8f,f8,ab,bd,bd,
76,64,10,04,f0,92,77,f9,20
"3"=hex:47,af,e3,b9,38,4b,f6,e6,cb,8b,59,0c,3a,af,c5,a2,ac,98,11,9b,be,95,83,
07,ae,ba,7e,d8,e6,d6,56,50,c4,dc,bb,7b,18,78,a4,de,04,5c,25,4e,9f,d7,39,6d

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \F93383AA3238BCCB\DBF31101A5C3B93315CBBEA90ED13257]
"1"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,c1,ed,7b,62,a7,87,bb,89
"2"=hex:c6,d7,96,b5,5f,fa,3f,77
"3"=hex:23,9d,2a,bf,fb,1d,18,8d,e7,93,09,5f,ef,6f,a2,f8,00,10,47,c7,b0,0e,5e,
97,4b,65,0c,71,bf,0e,eb,de,f5,85,03,72,3d,0e,4a,fe,82,c0,17,e9,04,f2,f2,4f,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:05,63,4e,ca,af,1d,39,e0,e8,3b,06,bc,35,26,5b,04,02,70,fd,49,72,ea,3f,
0d,38,a0,6c,90,31,db,5a,af,1a,99,07,f1,ef,d1,93,a4,80,fd,34,8b,e9,c5,e1,a0,\
"7"=hex:3b,e8,2f,01,6c,32,33,d8,e1,d7,f3,f6,0e,0a,fa,46,62,39,09,43,d3,da,73,
d4,4e,db,d0,f9,b1,fb,0a,f1,d3,99,57,af,7d,98,93,fd,a5,1e,64,b6,5b,35,28,e1,\
"8"=hex:63,5a,d7,1b,b1,d4,18,46,0a,a7,b3,1c,99,c8,a4,fc,86,f4,fe,cb,ec,d3,4e,
4c,1b,ae,32,7d,1e,63,9b,e8,91,4b,74,fd,63,b1,f5,71
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:4b,72,8f,bc,6c,3f,e4,15
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,61,a7,7c,10,da,a6,a3,1d,23,c1,6d,4d,ad,b3,06,fc,7f,ad,60,e3,19,49,
dc,99,21,3b,e6,af,cf,db,28,48,06,88,26,53,8a,67,bf,bb,9f,67,60,c6,96,08,c3,\
"13"=hex:e7,e5,ed,0c,06,af,5e,17,8d,21,90,f2,60,2e,a0,a9,dc,7c,28,83,f6,20,99,
08
"14"=hex:79,6a,b1,0b,fb,82,9f,17
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:89,98,f4,25,5a,d8,6b,49,3a,d6,99,69,46,be,b6,50
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:88,ae,b0,68,9e,b4,9b,4e,98,0b,07,cc,24,e0,4a,45,e3,40,22,88,40,5d,1e,
9b,77,fa,7a,85,ea,fc,8e,84,61,f6,bd,3b,45,cf,2f,47,fb,e1,df,43,6d,5a,83,21,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(348)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2010-04-05 18:22:45
ComboFix-quarantined-files.txt 2010-04-05 22:22
ComboFix2.txt 2010-04-04 22:29
ComboFix3.txt 2010-04-04 01:14

Pre-Run: 59,891,290,112 bytes free
Post-Run: 59,961,942,016 bytes free

- - End Of File - - A804FFD0D4F9BD22DFE5B92530B305F3


#13 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 05 April 2010 - 06:16 PM

You have some older versions of Java still showing up in Add/Remove. These can be areas of Malware exploitation so it is advisable to remove all of them:


Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1






Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.




When you have finished with the above let me know how the computer is running.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#14 radii

radii
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 07 April 2010 - 07:00 PM

I uninstalled the old stuff you mentioned in the last post above and everything seems to be working fine!

#15 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 AM

Posted 07 April 2010 - 07:46 PM

Sounds great! thumbup2.gif

We'll remove our tools and wrap up now.



Uninstall Combofix
  • Press the Windows Key + R on your keyboard.
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    <Notice the space between the "x" and "/".>

  • The following will implement some very important cleanup procedures as well as reset System Restore points.




You can go ahead and delete GMER and DDS now if they are still on your desktop.




Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  1. Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
    Go here to check for & install updates to Microsoft applications
    Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
  2. Keep your non-Microsoft applications updated as well
    Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month
  3. Make Internet Explorer more secure
    Click Start > Run
    Type Inetcpl.cpl & click OK
    Click on the Security tab
    Click Reset all zones to default level
    Make sure the Internet Zone is selected & Click Custom level
    In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    Next Click OK, then Apply button and then OK to exit the Internet Properties page.
  4. Install SpywareBlaster & make sure to update it regularly
    SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster from here
  5. Finally, this is very important. It is absolutely essential to keep all of your security programs up to date




If you have any other questions or issues feel free to ask as I will be checking back on this topic.



Other than that if there is nothing else I can do for you then I wish you good luck in the future and thank you for using our forum. smile.gif


thewall
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users