Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect virus, ITS BACKKK


  • This topic is locked This topic is locked
56 replies to this topic

#1 AndyMan315

AndyMan315

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 07 May 2010 - 07:59 AM

OKay here it goes. I had a google redirect virus (as well as making random IE windows pop up with ads and porn, and sometimes just an IE process with no window but you could hear the Ads through my speakers...) Anyways, I thought I shook it with MWB and a few suggestions from this forum but it seems to have made itself appear again...YAY. I'll try to make it easy for you, below is a copy of GMER (Sections only as it caused the computer to crash) and an OTL report as well! PLEASE HALP!

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-07 08:57:14
Windows 6.1.7600
Running: xj5lgcoj.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A58579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7CF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82A84724 8 Bytes [48, 00, 36, 87, 60, F1, 18, ...]
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82A8473C 4 Bytes [B8, 25, 3A, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82A84748 4 Bytes [A0, 00, 4A, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82A8479C 4 Bytes [68, 34, 3A, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82A84818 4 Bytes [C0, 38, 3A, 87]
.text ...
? System32\drivers\foum.sys The system cannot find the path specified. !
.text peauth.sys A3C38C9D 28 Bytes [9E, 84, C1, 8B, 56, AE, F9, ...]
.text peauth.sys A3C38CC1 28 Bytes [9E, 84, C1, 8B, 56, AE, F9, ...]
PAGE peauth.sys A3C3EB9B 72 Bytes [4E, AB, 05, 50, FC, 3B, 2E, ...]
PAGE peauth.sys A3C3EBEC 111 Bytes JMP 2F66CA22
PAGE peauth.sys A3C3EE20 101 Bytes [A6, 25, 90, D6, A1, 70, 64, ...]
PAGE ...
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A1789000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A1789123 629 Bytes [45, 78, A1, FE, 05, 34, 45, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A1789399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A17893FF 51 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 53C3 A1789433 96 Bytes [77, A1, 85, C9, 7C, 18, 8D, ...]
PAGE ...
? C:\Users\Andrew\AppData\Local\Temp\ALSysIO.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1892] kernel32.dll!SetUnhandledExceptionFilter 76B63142 4 Bytes [C2, 04, 00, 00]

---- EOF - GMER 1.0.15 ----


OTL:

OTL logfile created on: 5/3/2010 2:11:38 PM - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Users\Andrew\Downloads
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 51.00% Memory free
6.00 Gb Paging File | 5.00 Gb Available in Paging File | 73.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 931.41 Gb Total Space | 804.71 Gb Free Space | 86.40% Space Free | Partition Type: NTFS
Drive D: | 7.03 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: UDF
Drive E: | 232.88 Gb Total Space | 154.04 Gb Free Space | 66.15% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: LLAMA
Current User Name: Andrew
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/03 14:09:25 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Downloads\OTL.exe
PRC - [2010/04/26 21:27:51 | 001,238,352 | ---- | M] (Valve Corporation) -- C:\Program Files\Steam\Steam.exe
PRC - [2010/04/06 18:35:44 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
PRC - [2010/03/01 23:16:17 | 000,031,856 | ---- | M] (Arainia Solutions) -- C:\Program Files\Gizmo\gservice.exe
PRC - [2010/03/01 23:16:12 | 000,220,768 | ---- | M] (Arainia Solutions) -- C:\Program Files\Gizmo\gizmo.exe
PRC - [2010/03/01 11:27:01 | 000,386,872 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jucheck.exe
PRC - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) -- C:\Program Files\Norton 360\Engine\4.1.0.32\ccsvchst.exe
PRC - [2009/10/30 22:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/09/30 20:02:38 | 002,320,920 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
PRC - [2009/09/30 20:02:36 | 000,268,824 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
PRC - [2009/09/30 20:02:30 | 001,098,264 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
PRC - [2009/09/16 04:30:44 | 007,739,936 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/09/11 08:24:32 | 000,735,960 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe
PRC - [2009/09/11 08:23:46 | 002,054,360 | ---- | M] (ESET) -- C:\Program Files\ESET\ESET Smart Security\egui.exe
PRC - [2009/08/05 13:48:06 | 000,378,384 | ---- | M] () -- C:\Users\Andrew\My Documents\CoreTemp32\Core Temp.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe


========== Modules (SafeList) ==========

MOD - [2010/05/03 14:09:25 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Users\Andrew\Downloads\OTL.exe
MOD - [2010/03/01 23:16:17 | 000,031,848 | ---- | M] (Arainia Solutions) -- C:\Program Files\Gizmo\ghook.dll
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/19 21:43:54 | 000,332,720 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2010/03/19 10:49:20 | 000,144,672 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2010/03/01 23:16:17 | 000,031,856 | ---- | M] (Arainia Solutions) [Auto | Running] -- C:\Program Files\Gizmo\gservice.exe -- (Gizmo Central)
SRV - [2010/02/25 16:21:50 | 000,126,392 | R--- | M] (Symantec Corporation) [Unknown | Running] -- C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe -- (N360)
SRV - [2009/09/30 20:02:38 | 002,320,920 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe -- (UNS) Intel®
SRV - [2009/09/30 20:02:36 | 000,268,824 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe -- (LMS) Intel®
SRV - [2009/09/11 08:33:18 | 000,020,680 | ---- | M] (ESET) [On_Demand | Stopped] -- C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe -- (EhttpSrv)
SRV - [2009/09/11 08:24:32 | 000,735,960 | ---- | M] (ESET) [Auto | Running] -- C:\Program Files\ESET\ESET Smart Security\ekrn.exe -- (ekrn)
SRV - [2009/07/13 18:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 18:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 18:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 18:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 18:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 18:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 18:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 18:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 18:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 18:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 18:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 18:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 18:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 18:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 18:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/01/26 15:31:10 | 001,153,368 | ---- | M] (Safer Networking Ltd.) [Auto | Running] -- C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe -- (SBSDWSCService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Running] -- -- (ALSysIO)
DRV - [2010/03/24 13:38:08 | 000,536,112 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100324.001\BHDrvx86.sys -- (BHDrvx86)
DRV - [2010/03/20 09:49:12 | 001,324,720 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100503.002\NAVEX15.SYS -- (NAVEX15)
DRV - [2010/03/20 09:49:12 | 000,102,448 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv)
DRV - [2010/03/20 09:49:12 | 000,084,912 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\VirusDefs\20100503.002\NAVENG.SYS -- (NAVENG)
DRV - [2010/03/13 17:10:05 | 000,124,976 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent)
DRV - [2010/03/01 23:16:24 | 000,023,624 | ---- | M] (Arainia Solutions LLC) [Kernel | System | Running] -- C:\Windows\System32\drivers\gizmodrv.sys -- (GizmoDrv)
DRV - [2010/02/27 13:10:12 | 000,371,248 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl)
DRV - [2010/02/26 19:23:54 | 000,116,784 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\Ironx86.SYS -- (SymIRON)
DRV - [2010/02/26 19:23:21 | 000,325,680 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\Drivers\N360\0401000.020\SRTSP.SYS -- (SRTSP)
DRV - [2010/02/26 19:23:21 | 000,043,696 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SRTSPX.SYS -- (SRTSPX) Symantec Real Time Storage Protection (PEL)
DRV - [2010/02/25 16:22:57 | 000,501,888 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\system32\drivers\N360\0401000.020\ccHPx86.sys -- (ccHP)
DRV - [2010/01/21 01:59:58 | 000,020,864 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbdiag.sys -- (UsbDiag)
DRV - [2010/01/21 01:59:56 | 000,024,960 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbmodem.sys -- (USBModem)
DRV - [2010/01/21 01:59:56 | 000,013,056 | ---- | M] (LG Electronics Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\lgusbbus.sys -- (usbbus)
DRV - [2010/01/12 13:03:34 | 011,586,280 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\nvlddmkm.sys -- (nvlddmkm)
DRV - [2009/11/25 23:41:48 | 000,172,592 | R--- | M] (Symantec Corporation) [File_System | Boot | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SYMEFA.SYS -- (SymEFA)
DRV - [2009/11/21 17:43:47 | 000,340,016 | R--- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\Drivers\N360\0401000.020\SYMTDIV.SYS -- (SYMTDIv)
DRV - [2009/11/16 17:51:14 | 000,343,088 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100422.002\IDSvix86.sys -- (IDSVix86)
DRV - [2009/10/14 20:50:05 | 000,328,752 | R--- | M] (Symantec Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\drivers\N360\0401000.020\SYMDS.SYS -- (SymDS)
DRV - [2009/09/23 02:09:56 | 000,208,552 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\e1k6232.sys -- (e1kexpress) Intel®
DRV - [2009/09/17 12:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel®
DRV - [2009/09/16 06:28:44 | 002,771,104 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/09/11 08:26:26 | 000,038,240 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfwwfp.sys -- (epfwwfp)
DRV - [2009/09/11 08:26:20 | 000,135,048 | ---- | M] (ESET) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\epfw.sys -- (epfw)
DRV - [2009/09/11 08:23:50 | 000,108,792 | ---- | M] (ESET) [Kernel | System | Running] -- C:\Windows\System32\drivers\ehdrv.sys -- (ehdrv)
DRV - [2009/09/11 08:17:16 | 000,116,008 | ---- | M] (ESET) [File_System | Auto | Running] -- C:\Windows\System32\drivers\eamon.sys -- (eamon)
DRV - [2009/07/13 18:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/13 18:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/13 18:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/13 18:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/13 18:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/13 18:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/13 18:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/13 18:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/13 18:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 18:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 18:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 18:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 18:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 18:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 18:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 18:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 18:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 18:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 18:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 18:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 18:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 18:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/13 18:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/13 18:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 18:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 18:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 18:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 18:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 18:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 18:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 18:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 18:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 18:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 18:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 18:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 18:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 18:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 18:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 18:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 18:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 17:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/13 17:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 17:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 16:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 16:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 16:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 16:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 16:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/13 16:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 16:51:11 | 000,034,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2009/07/13 16:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 16:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 16:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 16:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 16:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 16:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 16:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 16:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 16:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 16:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/13 16:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 15:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 15:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/13 15:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/13 15:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/13 15:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/13 15:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/13 15:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/13 15:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/13 15:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/19 10:10:40 | 000,033,096 | ---- | M] (ESET) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\epfwndis.sys -- (Epfwndis)
DRV - [2004/04/10 10:42:36 | 000,002,944 | ---- | M] (cansoft@livewiredev.com) [Kernel | System | Running] -- C:\Windows\System32\mbmiodrvr.sys -- (mbmiodrvr)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = FF E6 E8 C0 7F B7 CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: toolbar@ask.com:3.6.2.119
FF - prefs.js..extensions.enabledItems: {89f8dde0-010a-11da-8cd6-0800200c9a66}:1.0.0.19
FF - prefs.js..extensions.enabledItems: {BBDA0591-3099-440a-AA10-41764D9DB4DB}:2.0
FF - prefs.js..extensions.enabledItems: {2D3F3651-74B9-4795-BDEC-6DA2F431CB62}:4.6

FF - HKLM\software\mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\ [2010/04/26 18:07:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{2D3F3651-74B9-4795-BDEC-6DA2F431CB62}: C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\ [2010/03/13 17:15:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/06 18:48:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/06 18:48:32 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\eplgTb@eset.com: C:\Program Files\ESET\ESET Smart Security\Mozilla Thunderbird [2010/02/27 00:14:45 | 000,000,000 | ---D | M]

[2010/03/15 22:15:13 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions
[2010/03/15 22:15:13 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/02 21:06:03 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\kp89i73u.default\extensions
[2010/02/28 13:48:30 | 000,000,000 | ---D | M] (Yahoo! Mail Notifier) -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\kp89i73u.default\extensions\{89f8dde0-010a-11da-8cd6-0800200c9a66}
[2010/03/01 11:40:43 | 000,000,000 | ---D | M] -- C:\Users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\kp89i73u.default\extensions\toolbar@ask.com
[2010/05/02 21:06:03 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/28 23:30:49 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll
[2010/01/13 15:46:00 | 000,063,488 | ---- | M] (Nullsoft, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwachk.dll

O1 HOSTS File: ([2010/05/02 08:22:54 | 000,393,152 | R--- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 127.0.0.1 www.123fporn.info
O1 - Hosts: 13575 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Symantec NCO BHO) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)
O2 - BHO: (Symantec Intrusion Prevention) - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\4.1.0.32\ipsbho.dll (Symantec Corporation)
O2 - BHO: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)
O3 - HKLM\..\Toolbar: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O3 - HKCU\..\Toolbar\WebBrowser: (Norton Toolbar) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\4.1.0.32\coieplg.dll (Symantec Corporation)
O3 - HKCU\..\Toolbar\WebBrowser: (FrostWire Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll (Ask.com)
O4 - HKLM..\Run: [egui] C:\Program Files\ESET\ESET Smart Security\egui.exe (ESET)
O4 - HKLM..\Run: [IMSS] C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe ()
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKCU..\Run: [Core Temp] C:\Users\Andrew\Documents\CoreTemp32\Core Temp.exe ()
O4 - HKCU..\Run: [GizmoDriveDelegate] C:\Program Files\Gizmo\gdrive.dll ()
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk = E:\Computadora\LimeWire\LimeWire.exe (Lime Wire, LLC)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O12 - Plugin for: .spop - C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll (InterTrust Technologies Corporation, Inc.)
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.4.2_03)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 209.18.47.61 209.18.47.62
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2008/11/15 02:52:50 | 000,161,088 | R--- | M] (Take-Two Interactive Software, Inc.) - D:\Autorun.exe -- [ UDF ]
O32 - AutoRun File - [2008/10/11 10:03:48 | 000,000,054 | R--- | M] () - D:\Autorun.inf -- [ UDF ]
O33 - MountPoints2\{8fbb36c9-2310-11df-bd81-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{8fbb36c9-2310-11df-bd81-806e6f6e6963}\Shell\AutoRun\command - "" = D:\Autorun.exe -- [2008/11/15 02:52:50 | 000,161,088 | R--- | M] (Take-Two Interactive Software, Inc.)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 19:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)


========== Files/Folders - Created Within 30 Days ==========

[2010/05/02 16:39:13 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2010/05/02 09:50:31 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Roaming\Malwarebytes
[2010/05/02 09:50:23 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/02 09:50:22 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/02 09:50:21 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/02 09:50:21 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/02 08:13:04 | 000,000,000 | ---D | C] -- C:\ProgramData\Spybot - Search & Destroy
[2010/05/02 08:13:04 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2010/04/29 19:49:15 | 000,000,000 | -HSD | C] -- C:\ProgramData\SecuROM
[2010/04/29 19:48:12 | 004,178,264 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_41.dll
[2010/04/29 19:48:12 | 000,517,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAudio2_4.dll
[2010/04/29 19:48:12 | 000,235,352 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xactengine3_4.dll
[2010/04/29 19:48:12 | 000,069,448 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\XAPOFX1_3.dll
[2010/04/29 19:48:11 | 000,022,360 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\X3DAudio1_6.dll
[2010/04/29 19:39:21 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Documents\Games for Windows - LIVE Demos
[2010/04/29 17:57:34 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Documents\Rockstar Games
[2010/04/29 17:57:01 | 000,000,000 | ---D | C] -- C:\Users\Public\Documents\microsoft
[2010/04/29 17:54:22 | 000,453,456 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_42.dll
[2010/04/25 09:17:09 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\3D Home Architect Design Deluxe v
[2010/04/20 21:21:52 | 000,000,000 | ---D | C] -- C:\Users\Andrew\Desktop\MARLEE
[2010/04/06 18:50:16 | 000,000,000 | ---D | C] -- C:\Program Files\iPod
[2010/04/06 18:50:15 | 000,000,000 | ---D | C] -- C:\Program Files\iTunes
[2010/04/06 18:48:14 | 000,000,000 | ---D | C] -- C:\Program Files\QuickTime
[2010/04/06 18:46:31 | 000,000,000 | ---D | C] -- C:\Program Files\Bonjour
[2010/04/05 07:09:04 | 000,000,000 | ---D | C] -- C:\Users\Andrew\AppData\Local\ESET

========== Files - Modified Within 30 Days ==========

[2010/05/03 14:13:08 | 006,029,312 | -HS- | M] () -- C:\Users\Andrew\NTUSER.DAT
[2010/05/03 14:11:01 | 000,000,290 | -H-- | M] () -- C:\Windows\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/05/03 14:09:50 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/03 14:09:50 | 000,001,184 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/03 10:34:19 | 000,908,254 | ---- | M] () -- C:\Windows\System32\drivers\N360\0401000.020\Cat.DB
[2010/05/03 07:41:55 | 000,014,612 | ---- | M] () -- C:\Users\Andrew\Documents\cc_20100503_074121.reg
[2010/05/02 16:39:25 | 000,001,831 | ---- | M] () -- C:\Users\Andrew\Desktop\CCleaner.lnk
[2010/05/02 13:00:43 | 000,713,888 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/02 13:00:43 | 000,615,122 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/02 13:00:43 | 000,103,496 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/02 12:54:35 | 000,000,312 | -HS- | M] () -- C:\Windows\tasks\ehuopnab.job
[2010/05/02 12:54:35 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/02 12:54:27 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/02 12:54:16 | 2564,849,664 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/02 12:53:29 | 001,597,248 | -H-- | M] () -- C:\Users\Andrew\AppData\Local\IconCache.db
[2010/05/02 09:50:26 | 000,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/02 08:22:54 | 000,393,152 | R--- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/05/02 08:13:12 | 000,001,216 | ---- | M] () -- C:\Users\Andrew\Desktop\Spybot - Search & Destroy.lnk
[2010/04/30 08:06:49 | 000,084,992 | RHS- | M] () -- C:\Windows\System32\spwmpp.dll
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/04/26 21:28:33 | 000,000,947 | ---- | M] () -- C:\Users\Public\Desktop\Steam.lnk
[2010/04/16 22:16:04 | 000,002,322 | ---- | M] () -- C:\Users\Public\Desktop\Norton 360.lnk
[2010/04/10 23:29:31 | 000,024,576 | ---- | M] () -- C:\Users\Andrew\Documents\TO DO!!.doc
[2010/04/06 18:50:53 | 000,002,429 | ---- | M] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/06 18:48:28 | 000,001,815 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/03 19:59:10 | 000,028,160 | ---- | M] () -- C:\Users\Andrew\Desktop\My Resume.doc

========== Files Created - No Company Name ==========

[2010/05/03 07:41:30 | 000,014,612 | ---- | C] () -- C:\Users\Andrew\Documents\cc_20100503_074121.reg
[2010/05/02 16:39:25 | 000,001,831 | ---- | C] () -- C:\Users\Andrew\Desktop\CCleaner.lnk
[2010/05/02 09:50:26 | 000,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/05/02 09:41:32 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/02 09:41:32 | 000,001,184 | -H-- | C] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/02 08:13:12 | 000,001,216 | ---- | C] () -- C:\Users\Andrew\Desktop\Spybot - Search & Destroy.lnk
[2010/04/30 08:06:53 | 000,000,290 | -H-- | C] () -- C:\Windows\tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job
[2010/04/30 08:06:49 | 000,084,992 | RHS- | C] () -- C:\Windows\System32\spwmpp.dll
[2010/04/30 08:06:49 | 000,000,312 | -HS- | C] () -- C:\Windows\tasks\ehuopnab.job
[2010/04/06 18:50:53 | 000,002,429 | ---- | C] () -- C:\Users\Public\Desktop\iTunes.lnk
[2010/04/06 18:48:28 | 000,001,815 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/03 19:59:10 | 000,028,160 | ---- | C] () -- C:\Users\Andrew\Desktop\My Resume.doc
[2010/03/26 12:37:20 | 000,000,376 | ---- | C] () -- C:\Windows\ODBC.INI
[2009/11/06 10:58:04 | 000,178,975 | ---- | C] () -- C:\Windows\System32\xlive.dll.cat
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2008/02/05 18:12:58 | 003,596,288 | ---- | C] () -- C:\Windows\System32\qt-dx331.dll
[2008/02/05 18:11:48 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dtu100.dll.manifest
[2008/02/05 18:11:48 | 000,000,416 | ---- | C] () -- C:\Windows\System32\dpl100.dll.manifest
[2008/02/05 18:10:58 | 000,012,288 | ---- | C] () -- C:\Windows\System32\DivXWMPExtType.dll
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\Windows\System32\OUTLPERF.INI
[1999/07/29 01:27:10 | 000,056,832 | ---- | C] () -- C:\Windows\System32\iyvu9_32.dll

========== Custom Scans ==========


< %appdata%\*.* >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/07/13 18:15:13 | 000,346,112 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtmsft.dll
[2009/07/13 18:15:13 | 000,215,552 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\Windows\System32\dxtrans.dll
[2010/04/30 08:06:49 | 000,084,992 | RHS- | M] () Unable to obtain MD5 -- C:\Windows\System32\spwmpp.dll

< %systemroot%\Tasks\*.job /lockedfiles >
[2010/05/02 12:54:35 | 000,000,312 | -HS- | M] () Unable to obtain MD5 -- C:\Windows\Tasks\ehuopnab.job

< %SYSTEMDRIVE%\*.exe >


< MD5 for: ATAPI.SYS >
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: BEEP.SYS >
[2009/07/13 16:45:01 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=505506526A9D467307B3C393DEDAF858 -- C:\Windows\System32\drivers\beep.sys
[2009/07/13 16:45:01 | 000,006,144 | ---- | M] (Microsoft Corporation) MD5=505506526A9D467307B3C393DEDAF858 -- C:\Windows\winsxs\x86_microsoft-windows-beepsys_31bf3856ad364e35_6.1.7600.16385_none_c3f6f77668f0ddcc\beep.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: PROQUOTA.EXE >
[2009/07/13 18:14:29 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=8CDF71E78469BE54C29C1AD2FC8DE611 -- C:\Windows\System32\proquota.exe
[2009/07/13 18:14:29 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=8CDF71E78469BE54C29C1AD2FC8DE611 -- C:\Windows\winsxs\x86_microsoft-windows-proquota_31bf3856ad364e35_6.1.7600.16385_none_279d4dfaf3b8bd5a\proquota.exe

< MD5 for: SCECLI.DLL >
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 113 bytes -> C:\ProgramData\TEMP:A2947BEA

< End of report >





THANK YOU!

Edited by elise025, 07 May 2010 - 08:58 AM.
Since a log is posted, I am moving this to the appropriate forum ~ Elise


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 09 May 2010 - 09:12 PM

Hello, AndyMan315.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 11 May 2010 - 12:20 PM

All I can give you is the GMER with sections because it always crashes even with all your suggested boxes unchecked...I can include a new OTL thats up-to-date as far as 5/11/10(Today) thanks!

#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 11 May 2010 - 01:36 PM

Hi!

Are you have trouble running RSIT too? If so, let me know and I can have you run a different scanner. And yes, please post up whatever part of the GMER log you can produce.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 11 May 2010 - 02:32 PM

Yes RSIT ended like 10 seconds into its startup and produced an error message...

Here is todays GMER "sections" report.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-11 12:31:44
Windows 6.1.7600
Running: xj5lgcoj.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uxldapoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A8A579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AAEF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 224 82AB6724 8 Bytes [48, 40, 13, 87, 10, 93, 11, ...] {DEC EAX; INC EAX; ADC EAX, [EDI-0x78ee6cf0]}
.text ntkrnlpa.exe!RtlSidHashLookup + 23C 82AB673C 4 Bytes [68, 0E, 30, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 248 82AB6748 4 Bytes [B8, 91, 24, 86]
.text ntkrnlpa.exe!RtlSidHashLookup + 29C 82AB679C 4 Bytes [58, 4D, 1E, 87]
.text ntkrnlpa.exe!RtlSidHashLookup + 318 82AB6818 4 Bytes [A8, 01, 30, 86]
.text ...
.text peauth.sys A1352C9D 28 Bytes [84, D5, 6B, C8, D0, B5, CF, ...]
.text peauth.sys A1352CC1 28 Bytes [84, D5, 6B, C8, D0, B5, CF, ...]
PAGE peauth.sys A1358E20 101 Bytes [89, D4, D7, 58, 10, C7, A7, ...]
PAGE peauth.sys A135902C 102 Bytes [10, 89, 5D, E3, C7, D4, 54, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A5AF4000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A5AF4123 629 Bytes [F5, AE, A5, FE, 05, 34, F5, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 A5AF4399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F A5AF43FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B A5AF44AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
? C:\Users\Andrew\AppData\Local\Temp\ALSysIO.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1856] kernel32.dll!SetUnhandledExceptionFilter 75CA3142 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] ntdll.dll!NtQueryInformationProcess 77315490 5 Bytes JMP 00760DED
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] ntdll.dll!LdrLoadDll 7732F585 5 Bytes JMP 01E5003A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!closesocket 75DF3BED 5 Bytes JMP 0074C549
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!recv 75DF47DF 5 Bytes JMP 0074C300
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!GetAddrInfoW 75DF60F5 5 Bytes JMP 0074B90E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!getaddrinfo 75DF6737 5 Bytes JMP 0074B833
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!WSASend 75DF68A7 5 Bytes JMP 0074C3A7
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!WSARecv 75DFC29F 5 Bytes JMP 0074C465
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!send 75DFC4C8 5 Bytes JMP 0074C25D
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!WSAAsyncGetHostByName 75E06D2A 5 Bytes JMP 0074BBA6
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] WS2_32.dll!gethostbyname 75E07133 5 Bytes JMP 0074B779
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!DrawTextExW 77447BDD 5 Bytes JMP 0074CB0A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!DrawTextW 77448220 5 Bytes JMP 0074C94C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!SetClipboardData 77454979 5 Bytes JMP 0074C5D4
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!DrawTextA 7745A482 5 Bytes JMP 0074C873
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!DrawTextExA 7745A4B9 5 Bytes JMP 0074CA25
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] USER32.dll!DialogBoxParamW 7746564A 5 Bytes JMP 0074BC7E
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!ExtTextOutW 76388053 5 Bytes JMP 0074CCD1
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!GetGlyphIndicesW 7638B521 5 Bytes JMP 0074D143
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!ExtTextOutA 76390158 5 Bytes JMP 0074CBEF
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!TextOutA 76390878 5 Bytes JMP 0074C6DF
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!TextOutW 763A14B9 5 Bytes JMP 0074C7A9
.text C:\Program Files\Mozilla Firefox\firefox.exe[2884] GDI32.dll!GetGlyphIndicesA 763ABC42 5 Bytes JMP 0074D07C

---- EOF - GMER 1.0.15 ----
Thanks!

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 11 May 2010 - 03:24 PM

Hello, AndyMan315.
You're welcome smile.gif

Okay, let's use a different scanner then:
We need to run a DDS scan
  1. Please download DDS by sUBs from one of the following links. Save it to your desktop.
    Download 1
    Download 2
  2. Double click on the DDS icon, allow it to run
  3. A small box will open, with an explanation about the tool. No input is needed, the scan is running
  4. Notepad will open with the results, click no to the Optional Scan
  5. Follow the instructions that pop up for posting the results
  6. Close the program window
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

In your next reply, please include the following:
  • DDS Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 11 May 2010 - 06:36 PM

Here is my DDS log and the attachment that came out of it I don't know if you need that but whats the harm :-).


DDS (Ver_10-03-17.01) - NTFSx86
Run by Andrew at 20:33:18.33 on Tue 05/11/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_15
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3261.2224 [GMT -7:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\taskeng.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Gizmo\gservice.exe
C:\Program Files\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\sppsvc.exe
C:\Program Files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Andrew\Documents\CoreTemp32\Core Temp.exe
C:\Program Files\Gizmo\gizmo.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
C:\Program Files\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\System32\mobsync.exe
C:\Users\Andrew\Downloads\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\4.1.0.32\IPSBHO.DLL
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\4.1.0.32\coIEPlg.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Core Temp] "c:\users\andrew\documents\coretemp32\Core Temp.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [GizmoDriveDelegate] RUNDLL32.EXE c:\progra~1\gizmo\GDRIVE.DLL,Remount_Startup_Images
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [IMSS] "c:\program files\intel\intel® management engine components\imss\PIconStartup.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andrew\appdata\roaming\micros~1\windows\startm~1\programs\startup\limewi~1.lnk - e:\computadora\limewire\LimeWire.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\gizmo.lnk - c:\program files\gizmo\gizmo.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\andrew\appdata\roaming\mozilla\firefox\profiles\kp89i73u.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0401000.020\symds.sys [2010-4-6 328752]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0401000.020\symefa.sys [2010-4-6 172592]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\bashdefs\20100429.001\BHDrvx86.sys [2010-4-29 537136]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0401000.020\cchpx86.sys [2010-4-6 501888]
R1 GizmoDrv;Gizmo Device Driver;c:\windows\system32\drivers\gizmodrv.sys [2010-3-1 23624]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_4.0.0.127\definitions\ipsdefs\20100505.001\IDSvix86.sys [2010-5-7 343088]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0401000.020\ironx86.sys [2010-4-6 116784]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0401000.020\symtdiv.sys [2010-4-6 340016]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2009-9-11 735960]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2009-9-11 38240]
R2 Gizmo Central;Gizmo Central;c:\program files\gizmo\gservice.exe [2010-3-1 31856]
R2 N360;Norton 360;c:\program files\norton 360\engine\4.1.0.32\ccsvchst.exe [2010-4-6 126392]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-5-2 1153368]
R2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\intel\intel® management engine components\uns\UNS.exe [2010-2-27 2320920]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k6232.sys [2010-2-27 208552]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-4-16 102448]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2010-05-12 00:03:44 0 d-----w- C:\HammerAutosave
2010-05-11 17:21:34 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-10 15:10:21 0 d-----w- c:\program files\trend micro
2010-05-06 00:34:24 50990 ----a-w- c:\windows\system32\azobzhbqokxqwog.exe
2010-05-06 00:34:06 0 d-----w- c:\users\andrew\appdata\roaming\D99A6CB45B8D3ED8D825C21560972B44
2010-05-03 21:24:17 320746413 ----a-w- c:\windows\MEMORY.DMP
2010-05-02 23:39:13 0 d-----w- c:\program files\CCleaner
2010-05-02 16:50:31 0 d-----w- c:\users\andrew\appdata\roaming\Malwarebytes
2010-05-02 16:50:23 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 16:50:22 0 d-----w- c:\programdata\Malwarebytes
2010-05-02 16:50:21 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 16:50:21 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 16:41:32 1184 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2010-05-02 16:41:32 1184 ---ha-w- c:\windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2010-05-02 15:13:04 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-02 15:13:04 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 15:06:49 84992 --sha-r- c:\windows\system32\spwmpp.dll
2010-04-30 02:49:15 0 d-sh--w- c:\programdata\SecuROM
2010-04-30 02:48:12 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-04-30 02:48:12 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-04-30 02:48:12 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-04-30 02:48:12 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-04-30 02:48:11 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-04-30 00:54:22 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

==================== Find3M ====================

2010-05-06 00:36:01 0 ----a-w- c:\windows\system32\drivers\wmiacpi.sys
2010-05-06 00:34:59 0 ----a-w- c:\windows\system32\drivers\bthmodem.sys
2010-05-06 00:34:58 0 ----a-w- c:\windows\system32\drivers\brusbmdm.sys
2010-05-06 00:34:56 0 ----a-w- c:\windows\system32\drivers\brserid.sys
2010-05-06 00:34:52 0 ----a-w- c:\windows\system32\drivers\arcsas.sys
2010-05-06 00:34:51 0 ----a-w- c:\windows\system32\drivers\arc.sys
2010-05-06 00:34:51 0 ----a-w- c:\windows\system32\drivers\amdsbs.sys
2010-05-06 00:34:48 0 ----a-w- c:\windows\system32\drivers\amdk8.sys
2010-05-06 00:34:47 0 ----a-w- c:\windows\system32\drivers\amdagp.sys
2010-05-06 00:34:44 0 ----a-w- c:\windows\system32\drivers\agp440.sys
2010-05-06 00:34:43 0 ----a-w- c:\windows\system32\drivers\adpu320.sys
2010-05-06 00:34:42 0 ----a-w- c:\windows\system32\drivers\adpahci.sys
2010-05-06 00:34:42 0 ----a-w- c:\windows\system32\drivers\adp94xx.sys
2010-05-06 00:34:41 0 ----a-w- c:\windows\system32\drivers\acpipmi.sys
2010-04-04 01:27:00 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-04 01:27:00 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:27:00 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-04 01:27:00 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-18 02:47:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-14 17:38:36 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-14 00:10:05 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-14 00:10:05 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-14 00:10:05 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-01 18:27:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-01 18:26:14 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 18:46:14 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46:14 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 20:33:48.70 ===============

Attached Files



#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 11 May 2010 - 08:35 PM

Hello, AndyMan315.
P2P Program Warning!

uTorrent, Limewire

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log (under Trend Micro in your Program Files folder).
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 12 May 2010 - 06:16 AM

Here is my ComboFix log... Hopefully this is of help :-).


ComboFix 10-05-11.05 - Andrew 05/12/2010 8:05.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3261.1869 [GMT -7:00]
Running from: c:\users\Andrew\Downloads\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\azobzhbqokxqwog.exe
c:\windows\system32\DRIVERS\sffdisk.sys
c:\windows\system32\DRIVERS\wmiacpi.sys

Infected copy of c:\windows\system32\drivers\AGP440.sys was found and disinfected
Restored copy from - c:\windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys

.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 15:09 . 2010-05-12 15:09 -------- d-----w- c:\users\Laken\AppData\Local\temp
2010-05-12 15:09 . 2010-05-12 15:09 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-12 15:09 . 2010-05-12 15:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-12 00:03 . 2010-05-12 02:20 -------- d-----w- C:\HammerAutosave
2010-05-11 17:21 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-10 15:10 . 2010-05-11 01:36 -------- d-----w- c:\program files\trend micro
2010-05-10 15:10 . 2010-05-10 15:10 -------- d-----w- C:\rsit
2010-05-06 00:34 . 2010-05-06 00:35 -------- d-----w- c:\users\Andrew\AppData\Roaming\D99A6CB45B8D3ED8D825C21560972B44
2010-05-02 23:39 . 2010-05-02 23:39 -------- d-----w- c:\program files\CCleaner
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-05-02 16:50 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\programdata\Malwarebytes
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 16:50 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 15:13 . 2010-05-06 02:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-02 15:13 . 2010-05-02 15:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 15:06 . 2010-04-30 15:06 84992 --sha-r- c:\windows\system32\spwmpp.dll
2010-04-30 02:49 . 2010-04-30 02:49 -------- d-sh--w- c:\programdata\SecuROM
2010-04-30 02:48 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-04-30 02:48 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-04-30 02:48 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-04-30 02:48 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-04-30 02:48 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-04-30 00:54 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 15:10 . 2010-03-16 05:15 -------- d-----w- c:\users\Andrew\AppData\Roaming\LimeWire
2010-05-12 15:10 . 2010-02-27 07:48 -------- d-----w- c:\program files\Steam
2010-05-11 17:04 . 2010-02-27 07:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 16:57 . 2010-03-01 21:23 -------- d-----w- c:\programdata\NVIDIA
2010-05-09 16:56 . 2010-03-01 21:22 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-08 22:17 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-05-06 02:31 . 2010-03-02 04:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\uTorrent
2010-05-06 00:34 . 2009-07-13 23:51 0 ----a-w- c:\windows\system32\drivers\bthmodem.sys
2010-05-06 00:34 . 2009-07-14 00:58 0 ----a-w- c:\windows\system32\drivers\brusbmdm.sys
2010-05-06 00:34 . 2009-07-14 00:57 0 ----a-w- c:\windows\system32\drivers\brserid.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\arcsas.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\arc.sys
2010-05-06 00:34 . 2009-06-10 21:20 0 ----a-w- c:\windows\system32\drivers\amdsbs.sys
2010-05-06 00:34 . 2009-07-13 23:11 0 ----a-w- c:\windows\system32\drivers\amdk8.sys
2010-05-06 00:34 . 2009-07-13 23:25 0 ----a-w- c:\windows\system32\drivers\amdagp.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\adpu320.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\adpahci.sys
2010-05-06 00:34 . 2009-06-10 21:19 0 ----a-w- c:\windows\system32\drivers\adp94xx.sys
2010-05-06 00:34 . 2009-07-13 23:16 0 ----a-w- c:\windows\system32\drivers\acpipmi.sys
2010-04-30 02:48 . 2010-03-14 17:20 -------- d-----w- c:\program files\Rockstar Games
2010-04-30 02:48 . 2010-02-27 07:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-30 00:54 . 2010-03-14 17:37 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-26 23:54 . 2010-03-02 04:33 -------- d-----w- c:\program files\uTorrent
2010-04-26 23:36 . 2010-03-16 05:22 -------- d-----w- c:\users\Guest\AppData\Roaming\Gizmo
2010-04-07 01:50 . 2010-04-07 01:50 -------- d-----w- c:\program files\iTunes
2010-04-07 01:50 . 2010-04-07 01:50 -------- d-----w- c:\program files\iPod
2010-04-07 01:50 . 2010-02-28 20:58 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 01:48 . 2010-04-07 01:48 -------- d-----w- c:\program files\QuickTime
2010-04-07 01:48 . 2010-02-28 20:59 -------- d-----w- c:\programdata\Apple Computer
2010-04-07 01:46 . 2010-04-07 01:46 -------- d-----w- c:\program files\Bonjour
2010-04-07 01:44 . 2010-04-07 01:44 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 14:49 . 2010-03-01 18:27 -------- d-----w- c:\users\Andrew\AppData\Roaming\FrostWire
2010-04-04 01:27 . 2010-04-04 01:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-04 01:27 . 2010-04-04 01:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:27 . 2010-04-04 01:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-04 01:27 . 2010-04-04 01:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-31 03:13 . 2010-03-16 05:23 63864 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-31 03:05 . 2010-03-19 19:54 63864 ----a-w- c:\users\Laken\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-28 01:40 . 2010-03-28 01:39 -------- d-----w- c:\program files\Duke Nukem 3D
2010-03-26 19:47 . 2010-02-27 07:13 63864 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-26 19:39 . 2010-03-25 01:04 -------- d-----w- c:\program files\Calendarscope
2010-03-26 19:36 . 2010-03-26 19:36 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-26 19:36 . 2010-03-26 19:36 -------- d-----w- c:\program files\Microsoft.NET
2010-03-25 01:04 . 2010-03-25 01:04 -------- d-----w- c:\users\Andrew\AppData\Roaming\Duality Software
2010-03-22 18:28 . 2010-03-19 19:57 -------- d-----w- c:\users\Laken\AppData\Roaming\Apple Computer
2010-03-20 04:48 . 2010-02-27 07:48 -------- d-----w- c:\program files\Common Files\Steam
2010-03-20 04:43 . 2010-03-20 04:43 -------- d-----w- c:\users\Andrew\AppData\Roaming\Tific
2010-03-19 19:55 . 2010-03-19 19:53 -------- d-----w- c:\users\Laken\AppData\Roaming\Gizmo
2010-03-18 02:47 . 2010-03-18 02:47 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-17 14:35 . 2010-03-16 05:24 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-03-16 14:20 . 2010-03-16 14:20 10134 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-03-16 14:20 . 2010-03-16 14:20 -------- d-----w- c:\program files\Microsoft WSE
2010-03-16 14:15 . 2010-03-16 14:15 -------- d-----w- c:\program files\Electronic Arts
2010-03-14 17:44 . 2010-03-14 17:44 -------- d--h--r- c:\users\Andrew\AppData\Roaming\SecuROM
2010-03-14 17:38 . 2010-03-14 17:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-14 01:18 . 2010-03-14 01:15 -------- d-----w- c:\users\Andrew\AppData\Roaming\Winamp
2010-03-14 01:16 . 2010-03-14 01:15 -------- d-----w- c:\program files\Winamp
2010-03-14 01:16 . 2010-03-14 01:16 -------- d-----w- c:\program files\Winamp Detect
2010-03-14 00:19 . 2010-03-14 00:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\HP
2010-03-14 00:12 . 2010-03-01 18:25 -------- d-----w- c:\programdata\Norton
2010-03-14 00:10 . 2010-03-01 18:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-14 00:10 . 2010-03-01 18:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-14 00:10 . 2010-03-01 18:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-14 00:10 . 2010-03-01 18:26 -------- d-----w- c:\program files\Symantec
2010-03-13 21:37 . 2010-03-13 21:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\DivX
2010-03-02 06:16 . 2010-03-02 06:16 23624 ----a-w- c:\windows\system32\drivers\gizmodrv.sys
2010-03-02 05:33 . 2010-03-02 05:33 0 ----a-w- c:\users\Andrew\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-03-01 18:27 . 2010-03-01 18:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-01 18:26 . 2010-03-01 18:26 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-01 18:26 . 2010-03-01 18:26 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-01 18:25 . 2010-03-01 18:24 82952808 ----a-w- c:\programdata\Symantec Temporary Files\N360S300EN.exe
2010-02-24 17:16 . 2010-02-27 08:17 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-11-19 02:40 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Core Temp"="c:\users\Andrew\Documents\CoreTemp32\Core Temp.exe" [2009-08-05 378384]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2010-03-02 390752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-16 7739936]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-01 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - e:\computadora\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gizmo.lnk - c:\program files\Gizmo\gizmo.exe [2010-3-1 220768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\N360\0305020.00B\SYMNDISV.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
S1 GizmoDrv;Gizmo Device Driver; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100505.001\IDSvix86.sys [2009-11-17 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0401000.020\SYMTDIV.SYS [2009-11-22 340016]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-09-11 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-11 38240]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [2010-03-02 31856]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S3 ALSysIO;ALSysIO;c:\users\Andrew\AppData\Local\Temp\ALSysIO.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-09-23 208552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-20 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\kp89i73u.default\
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-azobzhbqokxqwog - c:\windows\system32\azobzhbqokxqwog.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-101895003-2950426147-1564856554-1000\Software\SecuROM\License information*]
"datasecu"=hex:4c,d5,4a,fd,83,86,09,dd,9d,b7,82,d2,b8,bf,7d,c0,07,82,a9,39,6a,
fd,40,9e,4a,84,cb,02,c6,c4,ce,19,e5,2d,98,df,9d,e8,d1,1f,64,1f,29,d2,4a,9e,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2572)
c:\windows\System32\npmproxy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\windows\system32\taskhost.exe
c:\windows\system32\sppsvc.exe
c:\windows\system32\conhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Intel\Intel® Management Engine Components\IMSS\PrivacyIconClient.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\taskhost.exe
.
**************************************************************************
.
Completion time: 2010-05-12 08:13:36 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-12 15:13

Pre-Run: 859,652,177,920 bytes free
Post-Run: 859,573,129,216 bytes free

- - End Of File - - CBE389D04590FB248D0487A4149C7179


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 12 May 2010 - 09:51 AM

Hello, AndyMan315.
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/315312/google-redirect-virus-its-backkk/

    Suspect::[101]
    c:\windows\system32\spwmpp.dll
    c:\users\Andrew\AppData\Local\Temp\ALSysIO.sys
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 12 May 2010 - 10:01 AM

Okay, I am at work until later but will do! In the meantime, did you find anything helpful? Just curious got a few people involved who wanted to know what the outcome was they like your forum. (Next reply should have the report for you good sir!)

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 12 May 2010 - 10:08 AM

Hi!

Thanks smile.gif Well, you had a driver that was patched by your virus, which was causing all the problems. I'm assuming that the redirects have stopped. However, we've got a little bit more to do.

The files that are in the script... I'd like to make sure they're not infected.

Hopefully that helps? If not, let me know and I'll explain further smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 12 May 2010 - 10:24 AM

I'm pretty computer savvy so I get it 8-). But unfortunately, after the restart, I think I still had a redirect, now I'm frazzled and don't remember so I will let you know around 2 When I am home!

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:05:30 PM

Posted 12 May 2010 - 01:03 PM

Okay. I'll wait for your reply smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 AndyMan315

AndyMan315
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Syracuse, NY
  • Local time:08:30 AM

Posted 12 May 2010 - 01:11 PM

Here is the latest combofix, it updated before i ran it again and it uploaded my info to the internet? Just letting you know specifics.


ComboFix 10-05-11.06 - Andrew 05/12/2010 15:01:31.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.3261.2210 [GMT -7:00]
Running from: c:\users\Andrew\Downloads\ComboFix.exe
Command switches used :: C:\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
* Created a new restore point
* Resident AV is active


file zipped: c:\windows\System32\spwmpp.dll
.

((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-12 22:06 . 2010-05-12 22:06 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-12 22:06 . 2010-05-12 22:06 -------- d-----w- c:\users\Laken\AppData\Local\temp
2010-05-12 22:06 . 2010-05-12 22:06 -------- d-----w- c:\users\Guest\AppData\Local\temp
2010-05-12 22:06 . 2010-05-12 22:06 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-12 00:03 . 2010-05-12 02:20 -------- d-----w- C:\HammerAutosave
2010-05-11 17:21 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-05-10 15:10 . 2010-05-11 01:36 -------- d-----w- c:\program files\trend micro
2010-05-10 15:10 . 2010-05-10 15:10 -------- d-----w- C:\rsit
2010-05-06 00:34 . 2010-05-06 00:35 -------- d-----w- c:\users\Andrew\AppData\Roaming\D99A6CB45B8D3ED8D825C21560972B44
2010-05-02 23:39 . 2010-05-02 23:39 -------- d-----w- c:\program files\CCleaner
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\users\Andrew\AppData\Roaming\Malwarebytes
2010-05-02 16:50 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\programdata\Malwarebytes
2010-05-02 16:50 . 2010-05-02 16:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 16:50 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-02 15:13 . 2010-05-06 02:09 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-05-02 15:13 . 2010-05-02 15:15 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-30 15:06 . 2010-04-30 15:06 84992 --sha-r- c:\windows\system32\spwmpp.dll
2010-04-30 02:49 . 2010-04-30 02:49 -------- d-sh--w- c:\programdata\SecuROM
2010-04-30 02:48 . 2009-03-16 21:18 69448 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-04-30 02:48 . 2009-03-16 21:18 517448 ----a-w- c:\windows\system32\XAudio2_4.dll
2010-04-30 02:48 . 2009-03-16 21:18 235352 ----a-w- c:\windows\system32\xactengine3_4.dll
2010-04-30 02:48 . 2009-03-09 22:27 4178264 ----a-w- c:\windows\system32\D3DX9_41.dll
2010-04-30 02:48 . 2009-03-16 21:18 22360 ----a-w- c:\windows\system32\X3DAudio1_6.dll
2010-04-30 00:54 . 2009-09-05 00:29 453456 ----a-w- c:\windows\system32\d3dx10_42.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 15:10 . 2010-03-16 05:15 -------- d-----w- c:\users\Andrew\AppData\Roaming\LimeWire
2010-05-12 15:10 . 2010-02-27 07:48 -------- d-----w- c:\program files\Steam
2010-05-11 17:04 . 2010-02-27 07:15 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 16:57 . 2010-03-01 21:23 -------- d-----w- c:\programdata\NVIDIA
2010-05-09 16:56 . 2010-03-01 21:22 -------- d-----w- c:\program files\NVIDIA Corporation
2010-05-08 22:17 . 2009-07-14 04:52 -------- d-----w- c:\program files\Microsoft Games
2010-05-06 02:31 . 2010-03-02 04:33 -------- d-----w- c:\users\Andrew\AppData\Roaming\uTorrent
2010-05-06 00:34 . 2009-07-13 23:51 0 ----a-w- c:\windows\system32\drivers\bthmodem.sys
2010-05-06 00:34 . 2009-07-14 00:58 0 ----a-w- c:\windows\system32\drivers\brusbmdm.sys
2010-05-06 00:34 . 2009-07-14 00:57 0 ----a-w- c:\windows\system32\drivers\brserid.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\arcsas.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\arc.sys
2010-05-06 00:34 . 2009-06-10 21:20 0 ----a-w- c:\windows\system32\drivers\amdsbs.sys
2010-05-06 00:34 . 2009-07-13 23:11 0 ----a-w- c:\windows\system32\drivers\amdk8.sys
2010-05-06 00:34 . 2009-07-13 23:25 0 ----a-w- c:\windows\system32\drivers\amdagp.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\adpu320.sys
2010-05-06 00:34 . 2009-07-13 22:09 0 ----a-w- c:\windows\system32\drivers\adpahci.sys
2010-05-06 00:34 . 2009-06-10 21:19 0 ----a-w- c:\windows\system32\drivers\adp94xx.sys
2010-05-06 00:34 . 2009-07-13 23:16 0 ----a-w- c:\windows\system32\drivers\acpipmi.sys
2010-04-30 02:48 . 2010-03-14 17:20 -------- d-----w- c:\program files\Rockstar Games
2010-04-30 02:48 . 2010-02-27 07:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-30 00:54 . 2010-03-14 17:37 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-04-26 23:54 . 2010-03-02 04:33 -------- d-----w- c:\program files\uTorrent
2010-04-26 23:36 . 2010-03-16 05:22 -------- d-----w- c:\users\Guest\AppData\Roaming\Gizmo
2010-04-07 01:50 . 2010-04-07 01:50 -------- d-----w- c:\program files\iTunes
2010-04-07 01:50 . 2010-04-07 01:50 -------- d-----w- c:\program files\iPod
2010-04-07 01:50 . 2010-02-28 20:58 -------- d-----w- c:\program files\Common Files\Apple
2010-04-07 01:48 . 2010-04-07 01:48 -------- d-----w- c:\program files\QuickTime
2010-04-07 01:48 . 2010-02-28 20:59 -------- d-----w- c:\programdata\Apple Computer
2010-04-07 01:46 . 2010-04-07 01:46 -------- d-----w- c:\program files\Bonjour
2010-04-07 01:44 . 2010-04-07 01:44 73000 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-06 14:49 . 2010-03-01 18:27 -------- d-----w- c:\users\Andrew\AppData\Roaming\FrostWire
2010-04-04 01:27 . 2010-04-04 01:27 985704 ----a-w- c:\windows\system32\nvsvc.dll
2010-04-04 01:27 . 2010-04-04 01:27 13683816 ----a-w- c:\windows\system32\nvcpl.dll
2010-04-04 01:27 . 2010-04-04 01:27 129640 ----a-w- c:\windows\system32\nvvsvc.exe
2010-04-04 01:27 . 2010-04-04 01:27 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-03-31 03:13 . 2010-03-16 05:23 63864 ----a-w- c:\users\Guest\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-31 03:05 . 2010-03-19 19:54 63864 ----a-w- c:\users\Laken\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-28 01:40 . 2010-03-28 01:39 -------- d-----w- c:\program files\Duke Nukem 3D
2010-03-26 19:47 . 2010-02-27 07:13 63864 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-26 19:39 . 2010-03-25 01:04 -------- d-----w- c:\program files\Calendarscope
2010-03-26 19:36 . 2010-03-26 19:36 -------- d-----w- c:\program files\Microsoft ActiveSync
2010-03-26 19:36 . 2010-03-26 19:36 -------- d-----w- c:\program files\Microsoft.NET
2010-03-25 01:04 . 2010-03-25 01:04 -------- d-----w- c:\users\Andrew\AppData\Roaming\Duality Software
2010-03-22 18:28 . 2010-03-19 19:57 -------- d-----w- c:\users\Laken\AppData\Roaming\Apple Computer
2010-03-20 04:48 . 2010-02-27 07:48 -------- d-----w- c:\program files\Common Files\Steam
2010-03-20 04:43 . 2010-03-20 04:43 -------- d-----w- c:\users\Andrew\AppData\Roaming\Tific
2010-03-19 19:55 . 2010-03-19 19:53 -------- d-----w- c:\users\Laken\AppData\Roaming\Gizmo
2010-03-18 02:47 . 2010-03-18 02:47 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-03-17 14:35 . 2010-03-16 05:24 -------- d-----w- c:\users\Guest\AppData\Roaming\Apple Computer
2010-03-16 14:20 . 2010-03-16 14:20 10134 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2010-03-16 14:20 . 2010-03-16 14:20 -------- d-----w- c:\program files\Microsoft WSE
2010-03-16 14:15 . 2010-03-16 14:15 -------- d-----w- c:\program files\Electronic Arts
2010-03-14 17:44 . 2010-03-14 17:44 -------- d--h--r- c:\users\Andrew\AppData\Roaming\SecuROM
2010-03-14 17:38 . 2010-03-14 17:38 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-03-14 01:18 . 2010-03-14 01:15 -------- d-----w- c:\users\Andrew\AppData\Roaming\Winamp
2010-03-14 01:16 . 2010-03-14 01:15 -------- d-----w- c:\program files\Winamp
2010-03-14 01:16 . 2010-03-14 01:16 -------- d-----w- c:\program files\Winamp Detect
2010-03-14 00:19 . 2010-03-14 00:19 -------- d-----w- c:\users\Andrew\AppData\Roaming\HP
2010-03-14 00:12 . 2010-03-01 18:25 -------- d-----w- c:\programdata\Norton
2010-03-14 00:10 . 2010-03-01 18:26 805 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-03-14 00:10 . 2010-03-01 18:26 7443 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-03-14 00:10 . 2010-03-01 18:26 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-14 00:10 . 2010-03-01 18:26 -------- d-----w- c:\program files\Symantec
2010-03-02 06:16 . 2010-03-02 06:16 23624 ----a-w- c:\windows\system32\drivers\gizmodrv.sys
2010-03-02 05:33 . 2010-03-02 05:33 0 ----a-w- c:\users\Andrew\AppData\Roaming\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2010-03-01 18:27 . 2010-03-01 18:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-01 18:26 . 2010-03-01 18:26 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-03-01 18:26 . 2010-03-01 18:26 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-03-01 18:25 . 2010-03-01 18:24 82952808 ----a-w- c:\programdata\Symantec Temporary Files\N360S300EN.exe
2010-02-24 17:16 . 2010-02-27 08:17 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-12 18:46 . 2010-02-12 18:46 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-02-12 18:46 . 2010-02-12 18:46 107808 ----a-w- c:\windows\system32\dns-sd.exe
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-05-12_15.10.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:55 . 2010-05-11 23:47 29712 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 04:55 . 2010-05-12 15:12 29712 c:\windows\System32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-27 08:40 . 2010-05-12 15:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-27 08:40 . 2010-05-11 23:47 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-27 08:40 . 2010-05-11 23:47 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 08:40 . 2010-05-12 15:12 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-27 08:40 . 2010-05-11 23:47 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-27 08:40 . 2010-05-12 15:12 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-27 07:02 . 2010-05-12 15:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-27 07:02 . 2010-05-11 23:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2010-02-27 07:35 . 2010-05-12 14:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2010-02-27 07:35 . 2010-05-12 22:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-27 07:35 . 2010-05-12 14:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2010-02-27 07:35 . 2010-05-12 22:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
- 2010-02-27 07:35 . 2010-05-12 14:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-02-27 07:35 . 2010-05-12 22:04 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2010-02-27 07:02 . 2010-05-12 22:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-27 07:02 . 2010-05-12 14:04 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-02-27 07:02 . 2010-05-11 23:47 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-27 07:02 . 2010-05-12 15:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-05-11 23:44 . 2010-05-12 15:10 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-07-14 02:05 . 2010-05-12 15:16 615122 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-05-11 23:50 615122 c:\windows\System32\perfh009.dat
- 2009-07-14 02:05 . 2010-05-11 23:50 103496 c:\windows\System32\perfc009.dat
+ 2009-07-14 02:05 . 2010-05-12 15:16 103496 c:\windows\System32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-11-19 02:40 1196936 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-11-19 1196936]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"Core Temp"="c:\users\Andrew\Documents\CoreTemp32\Core Temp.exe" [2009-08-05 378384]
"GizmoDriveDelegate"="c:\progra~1\GIZMO\GDRIVE.DLL" [2010-03-02 390752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-16 7739936]
"IMSS"="c:\program files\Intel\Intel® Management Engine Components\IMSS\PIconStartup.exe" [2009-10-01 111640]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-09-11 2054360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-03-01 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

c:\users\Andrew\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - e:\computadora\LimeWire\LimeWire.exe [2010-3-10 503808]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gizmo.lnk - c:\program files\Gizmo\gizmo.exe [2010-3-1 220768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\N360\0305020.00B\SYMNDISV.SYS [x]
S0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0401000.020\SYMDS.SYS [2009-10-15 328752]
S0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0401000.020\SYMEFA.SYS [2009-11-26 172592]
S1 BHDrvx86;BHDrvx86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20100429.001\BHDrvx86.sys [2010-04-29 537136]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0401000.020\ccHPx86.sys [2010-02-25 501888]
S1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-09-11 108792]
S1 GizmoDrv;Gizmo Device Driver; [x]
S1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20100505.001\IDSvix86.sys [2009-11-17 343088]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0401000.020\Ironx86.SYS [2010-02-27 116784]
S1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\System32\Drivers\N360\0401000.020\SYMTDIV.SYS [2009-11-22 340016]
S2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-09-11 735960]
S2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-09-11 38240]
S2 Gizmo Central;Gizmo Central;c:\program files\Gizmo\gservice.exe [2010-03-02 31856]
S2 N360;Norton 360;c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe [2010-02-25 126392]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files\Intel\Intel® Management Engine Components\UNS\UNS.exe [2009-10-01 2320920]
S3 ALSysIO;ALSysIO;c:\users\Andrew\AppData\Local\Temp\ALSysIO.sys [x]
S3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\DRIVERS\e1k6232.sys [2009-09-23 208552]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2010-03-20 102448]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALSYSIO
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Andrew\AppData\Roaming\Mozilla\Firefox\Profiles\kp89i73u.default\
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\4.1.0.32\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\4.1.0.32\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-101895003-2950426147-1564856554-1000\Software\SecuROM\License information*]
"datasecu"=hex:4c,d5,4a,fd,83,86,09,dd,9d,b7,82,d2,b8,bf,7d,c0,07,82,a9,39,6a,
fd,40,9e,4a,84,cb,02,c6,c4,ce,19,e5,2d,98,df,9d,e8,d1,1f,64,1f,29,d2,4a,9e,\
"rkeysecu"=hex:2f,0f,d5,3e,02,2b,06,63,b1,0b,dd,b6,71,e2,54,98

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4116)
c:\program files\Gizmo\ghook.DLL
c:\windows\System32\npmproxy.dll
.
Completion time: 2010-05-12 15:07:54
ComboFix-quarantined-files.txt 2010-05-12 22:07
ComboFix2.txt 2010-05-12 15:13

Pre-Run: 859,639,279,616 bytes free
Post-Run: 859,573,854,208 bytes free

- - End Of File - - 233D7BFEB974DC46C7B027E02FEECC60
Upload was successful





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users