Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Removal from system / Google redirects


  • Please log in to reply
9 replies to this topic

#1 smartjock99

smartjock99

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 15 May 2010 - 04:48 AM

Referred from here: http://www.bleepingcomputer.com/forums/t/315440/google-redirect-some-random-sites-pop-up/ ~ OB

Well, I've been virus free for quite a while. However, I'm now getting some google redirects when doing searches, and some new tab popups in Firefox to advertising sites. Nothing malicious yet, but I'd like to nip this in the bud sooner rather than later. With the assistance of Boopme, I have run some procedures, but I have rootkits on my system that need removal

Here is my DDS log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Phil at 3:25:53.43 on 15/05/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.848 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Hotspot Shield\bin\openvpn.exe
C:\Program Files\Hotspot Shield\bin\hsswd.exe
C:\Program Files\Hotspot Shield\HssWPR\hsssrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ElkCtrl.exe
C:\Program Files\Logitech\Video\CameraAssistant.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Freecorder\FLVSrvc.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\uTorrent\utorrent.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Hotspot Shield\bin\openvpntray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Phil\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.defaulthomepage.info/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {013b462b-5ee3-4c46-830f-310178bcc424} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {32566f20-b13b-4230-90b0-e70f09e6aff3} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100513095206.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A429ECAE-A5B5-44A3-BBC8-A5D063470D59} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Hotspot Shield Class: {f9e4a054-e9b1-4bc3-83a3-76a1ae736170} - c:\program files\hotspot shield\hssie\HssIE.dll
TB: {C17590D2-ECB4-4b15-8820-F58798DCC118} - No File
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\ahead\data\xtras\mssysmgr.exe
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Share-to-Web Namespace Daemon] c:\program files\hewlett-packard\photosmart\hp share-to-web\hpgs2wnd.exe
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero 7\nero backitup\NBKeyScan.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideo[inspector]] c:\program files\logitech\video\InstallHelper.exe /inspect
mRun: [LogitechCameraService(E)] c:\windows\system32\ElkCtrl.exe /automation
mRun: [LogitechCameraAssistant] c:\program files\logitech\video\CameraAssistant.exe
mRun: [HPHUPD08] c:\program files\hp\digital imaging\{33d6cc28-9f75-4d1b-a11d-98895b3a3729}\hphupd08.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [CXMon] "c:\program files\hewlett-packard\photosmart\photo imaging\Hpi_Monitor.exe"
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Freecorder FLV Service] "c:\program files\freecorder\FLVSrvc.exe" /run
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 5.0\distillr\AcroTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Webshots Photo Search - c:\program files\webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim95\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {00B71CFB-6864-4346-A978-C0A14556272C} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B}
DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file://f:\components\Liquid.ocx
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://spaces.msn.com//PhotoUpload/MsnPUpld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876}
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\phil\applic~1\mozilla\firefox\profiles\6i82zj2e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&q=
FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\phil\application data\mozilla\firefox\profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\phil\application data\facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mcafee\supportability\mvt\NPMVTPlugin.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activexff10.js - pref("capability.policy.default.classid.cid4c8d6404-a9f6-4236-8488-6c5732cb3bfa", "allaccess");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js:pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 385880]
R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [2005-5-30 11776]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [2005-1-31 4064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-5-4 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-4 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-4 74480]
R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-24 54752]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\hotspot shield\bin\hsswd.exe [2010-3-31 194608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-12-16 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-5-4 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-5-4 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-5-4 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-5-4 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-5-4 55456]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-1 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-1 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-5-4 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-5-4 88480]
S0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys --> c:\windows\system32\drivers\viasraid.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-6 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [2006-9-19 17432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [2005-1-31 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\phil\locals~1\temp\onlinescanner\anti-virus\fsgk.sys --> c:\docume~1\phil\locals~1\temp\onlinescanner\anti-virus\fsgk.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-5-4 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-5-4 83496]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-1 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-1 40552]
S3 Ql1ipo;Ql1ipo; [x]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\drivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [2009-6-10 341376]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-4 7408]

=============== Created Last 30 ================

2010-05-15 09:25:06 0 ----a-w- c:\documents and settings\phil\defogger_reenable
2010-05-12 04:24:01 0 d-----w- c:\program files\iPod
2010-05-12 04:14:17 0 d-----w- c:\program files\Bonjour
2010-05-05 03:20:30 0 d-----w- c:\docume~1\alluse~1\applic~1\DivX
2010-05-04 16:01:55 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-04 16:01:24 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-04 16:01:24 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-04 16:01:24 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-04 16:01:24 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-04 16:01:23 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-05-04 16:01:23 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-04 15:36:16 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-26 22:04:42 353592 ----a-w- c:\windows\system32\DivXControlPanelApplet.cpl

==================== Find3M ====================

2010-05-14 03:11:27 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-04-29 21:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 23:16:24 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 23:16:24 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 23:16:24 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-08 19:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-31 01:58:04 44944 ------w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-31 01:58:04 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58:04 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58:04 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-11 04:12:33 100254 ----a-w- c:\windows\War3Unin.dat
2010-03-10 04:14:45 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59:18 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-26 05:43:57 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43:54 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-19 19:27:36 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27:16 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27:16 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27:16 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27:16 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-17 15:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2007-11-25 16:57:00 604 ---ha-w- c:\program files\STLL Notifier
2004-03-11 20:27:22 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2002-07-27 00:02:06 153088 ----a-w- c:\program files\UNWISE.EXE
2003-03-31 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2005-04-08 03:19:36 56 --sh--r- c:\windows\system32\634B638EB3.sys
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe

============= FINISH: 3:28:14.43 ===============

Here is my GMER log that I ran earlier in the week:

GooredFix by jpshortstuff (08.01.10.1)
Log created at 19:59 on 12/05/2010 (Phil)
Firefox version 3.6.3 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
talkback@mozilla(2).org [13:12 05/09/2008]
{972ce4c6-7e08-4474-a285-3208198ce6fd} [18:10 21/08/2005]
{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} [12:51 03/08/2007]
{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} [03:30 09/09/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [06:51 23/01/2010]

C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\extensions\
{1392b8d2-5c05-419f-a8f6-b9f15a596612} [18:54 06/02/2010]
{20a82645-c095-46ed-80e3-08825760534b} [14:57 03/09/2009]
{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [18:08 16/01/2010]
{c50ca3c4-5656-43c2-a061-13e717f73fc8}(2) [14:22 05/09/2008]

C:\Documents and Settings\Phil\Application Data\Mozilla\Firefox\Profiles\e8ggf3vu.default\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:39 25/08/2005]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"{ABDE892B-13A8-4d1b-88E6-365A6E755758}"="C:\Program Files\Real\RealPlayer\browserrecord" [04:20 25/04/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [09:11 07/08/2009]
"{B7082FAA-CB62-4872-9106-E42DD88EDE45}"="C:\Program Files\McAfee\SiteAdvisor" [03:02 17/12/2009]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [03:29 09/09/2009]

---------- Old Logs ----------
GooredFix[05.56.56_10-05-2010].txt

-=E.O.F=-

And here is the GMER Log - I ran it in safe mode with the devices unchecked. I notice skynet in there (but I don't know the context associated with the log - That's your expertise):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-12 23:45:55
Windows 5.1.2600 Service Pack 3
Running: wiv2708c.exe; Driver: C:\DOCUME~1\Phil\LOCALS~1\Temp\kxtdrkoc.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xF75A5994]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[784] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A000A
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007B000A
.text C:\WINDOWS\system32\svchost.exe[808] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0079000C
.text C:\WINDOWS\system32\svchost.exe[808] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0156000A
.text C:\WINDOWS\system32\svchost.exe[808] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0155000A

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk@imagepath \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules@hjgruicmd.dll \systemroot\system32\hjgruihbswjgcb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules@hjgruilog.dat \systemroot\system32\hjgruinmjiybrr.dat
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules@hjgruiwsp.dll \systemroot\system32\hjgruijqicrgmi.dll
Reg HKLM\SYSTEM\ControlSet002\Services\hjgruiuehfwqkk\modules@hjgrui.dat \systemroot\system32\hjgruiyycbxyvv.dat
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXserv \\?\globalroot\systemroot\system32\drivers\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXl \\?\globalroot\systemroot\system32\MSIVXdlrxsdueatngtrnigtviagjvgecwxusb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys\modules@MSIVXclk \\?\globalroot\systemroot\system32\MSIVXavjdfgswcjxbhivockwcyxdwuooafxnb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxcrgqvatmpaetyean.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACd \\?\globalroot\systemroot\system32\drivers\UACxcrgqvatmpaetyean.sys
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@UACc \\?\globalroot\systemroot\system32\UACgbarijntjahsbyvvs.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacbbr \\?\globalroot\systemroot\system32\UACucaknolduojkpelti.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacsr \\?\globalroot\systemroot\system32\UACfftvekuqvgnwymsdw.dat
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmask \\?\globalroot\systemroot\system32\UACglpgfmilwxgjvowcq.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacserf \\?\globalroot\systemroot\system32\UACxiarlkwowhlqnrfbf.dll
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacmal \\?\globalroot\systemroot\system32\UAChsrjplulpfkvpfkaj.db
Reg HKLM\SYSTEM\ControlSet002\Services\UACd.sys\modules@uacrem \\?\globalroot\systemroot\system32\UACtethosrqrssrsbftp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk@imagepath \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules@hjgruicmd.dll \systemroot\system32\hjgruihbswjgcb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules@hjgruilog.dat \systemroot\system32\hjgruinmjiybrr.dat
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules@hjgruiwsp.dll \systemroot\system32\hjgruijqicrgmi.dll
Reg HKLM\SYSTEM\ControlSet003\Services\hjgruiuehfwqkk\modules@hjgrui.dat \systemroot\system32\hjgruiyycbxyvv.dat
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys
Reg HKLM\SYSTEM\ControlSet003\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm@imagepath \systemroot\system32\drivers\SKYNETpbigbmve.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpbigbmve.sys
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules@SKYNETcmd.dll \systemroot\system32\SKYNETirqdawvg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules@SKYNETlog.dat \systemroot\system32\SKYNETmafjyuui.dat
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdmlhceff.dll
Reg HKLM\SYSTEM\ControlSet003\Services\SKYNETjmeovdtm\modules@SKYNET.dat \systemroot\system32\SKYNETvtlcmhva.dat
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxcrgqvatmpaetyean.sys
Reg HKLM\SYSTEM\ControlSet003\Services\UACd.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk@imagepath \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main@aid 10002
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main@sid 0
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main\injector@* hjgruiwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules@hjgruirk.sys \systemroot\system32\drivers\hjgruiqmjgvxsr.sys
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules@hjgruicmd.dll \systemroot\system32\hjgruihbswjgcb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules@hjgruilog.dat \systemroot\system32\hjgruinmjiybrr.dat
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules@hjgruiwsp.dll \systemroot\system32\hjgruijqicrgmi.dll
Reg HKLM\SYSTEM\ControlSet004\Services\hjgruiuehfwqkk\modules@hjgrui.dat \systemroot\system32\hjgruiyycbxyvv.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait@imagepath \systemroot\system32\drivers\kbiwkmnsjwlgdk.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main@aid 10002
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main@sid 1
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmnsjwlgdk.sys
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmhucnrvsh.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmlkhbfdyj.dat
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmrdgpilxw.dll
Reg HKLM\SYSTEM\ControlSet004\Services\kbiwkmktmrwait\modules@kbiwkm.dat \systemroot\system32\kbiwkmnqdddgco.dat
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@imagepath \systemroot\system32\drivers\MSIVXfuafmqfooobhxpdhqbxmsisqvblnqyhu.sys
Reg HKLM\SYSTEM\ControlSet004\Services\MSIVXserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm@imagepath \systemroot\system32\drivers\SKYNETpbigbmve.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main@aid 10002
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main@sid 1
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main\injector@* SKYNETwsp.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules@SKYNETrk.sys \systemroot\system32\drivers\SKYNETpbigbmve.sys
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules@SKYNETcmd.dll \systemroot\system32\SKYNETirqdawvg.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules@SKYNETlog.dat \systemroot\system32\SKYNETmafjyuui.dat
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules@SKYNETwsp.dll \systemroot\system32\SKYNETdmlhceff.dll
Reg HKLM\SYSTEM\ControlSet004\Services\SKYNETjmeovdtm\modules@SKYNET.dat \systemroot\system32\SKYNETvtlcmhva.dat
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@imagepath \systemroot\system32\drivers\UACxcrgqvatmpaetyean.sys
Reg HKLM\SYSTEM\ControlSet004\Services\UACd.sys@group file system
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Classes\CLSID\{06D25F1D-4E4A-614E-267F-6AE746520B43}\InprocHandler32@ ole32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{06D25F1D-4E4A-614E-267F-6AE746520B43}\LocalServer32@ C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
Reg HKLM\SOFTWARE\Classes\CLSID\{06D25F1D-4E4A-614E-267F-6AE746520B43}\LocalServer32@LocalServer32 C84DVn-}f(YR]eAR6.jiOUTLOOKFiles>'K2Qps't@=3LoeW%lTmK?
Reg HKLM\SOFTWARE\Classes\CLSID\{59F677B0-0008-654E-84F7-9B9AF91AAF1D}\AutoConvertTo@ {64818D11-4F9B-11CF-86EA-00AA00B929E8}
Reg HKLM\SOFTWARE\Classes\CLSID\{59F677B0-0008-654E-84F7-9B9AF91AAF1D}\Insertable@
Reg HKLM\SOFTWARE\Classes\CLSID\{59F677B0-0008-654E-84F7-9B9AF91AAF1D}\ProgID@ PowerPoint.Slide.4
Reg HKLM\SOFTWARE\Classes\CLSID\{59F677B0-0008-654E-84F7-9B9AF91AAF1D}\TreatAs@ {64818D11-4F9B-11CF-86EA-00AA00B929E8}
Reg HKLM\SOFTWARE\Classes\CLSID\{DBAAA341-C3E3-5DE5-1A42-8650F2F07201}\InProcServer32@ C:\Program Files\Caere\PageKeeper30\SYSTEM\StartSearchMenu.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{DBAAA341-C3E3-5DE5-1A42-8650F2F07201}\InProcServer32@ThreadingModel Apartment

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\pci.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by Orange Blossom, 15 May 2010 - 02:05 PM.


BC AdBot (Login to Remove)

 


#2 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:04:07 AM

Posted 15 May 2010 - 03:46 PM

Hi smartjock99,

Welcome to Bleeping Computer.

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don''t understand, don''t hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#3 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 16 May 2010 - 12:31 PM

Thanks for the quick response to my problem!

Here's my Combofix log:

ComboFix 10-05-15.03 - Phil 16/05/2010 11:09:14.6.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1014 [GMT -6:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Phil\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Philip\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Philip\Application Data\inst.exe
c:\windows\system32\VB40032.DLL

Infected copy of c:\windows\system32\drivers\pci.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-16 to 2010-05-16 )))))))))))))))))))))))))))))))
.

2010-05-12 04:24 . 2010-05-12 04:24 -------- d-----w- c:\program files\iPod
2010-05-12 04:14 . 2010-05-12 04:14 -------- d-----w- c:\program files\Bonjour
2010-05-12 04:11 . 2010-05-12 04:11 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-07 04:33 . 2010-05-07 04:33 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-05-05 03:27 . 2010-05-05 03:27 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-05 03:26 . 2010-05-05 03:20 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-05 03:26 . 2010-05-05 03:19 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-05 03:26 . 2009-12-04 01:18 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
2010-05-05 03:26 . 2009-12-04 01:18 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
2010-05-05 03:26 . 2010-05-05 03:26 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-05 03:21 . 2010-05-05 03:21 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-05 03:20 . 2010-05-05 03:20 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-05 03:20 . 2010-05-05 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-04 16:01 . 2010-04-27 23:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-04 16:01 . 2010-04-27 23:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-04 16:01 . 2010-04-27 23:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-04 16:01 . 2010-04-27 23:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-04 16:01 . 2010-04-27 23:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-04 16:01 . 2010-04-27 23:16 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-05-04 16:01 . 2010-04-27 23:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-04 15:36 . 2010-05-04 15:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-04 06:06 . 2010-05-10 20:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-21 18:56 . 2005-06-06 16:29 110592 ----a-w- c:\documents and settings\Philip\Application Data\U3\temp\cleanup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-16 17:04 . 2009-09-24 18:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-16 17:02 . 2007-03-23 05:52 -------- d-----w- c:\documents and settings\Phil\Application Data\uTorrent
2010-05-16 15:57 . 2008-10-20 01:36 -------- d-----w- c:\documents and settings\Philip\Application Data\DNA
2010-05-16 03:16 . 2008-10-20 01:36 -------- d-----w- c:\program files\DNA
2010-05-16 03:13 . 2006-03-13 01:06 -------- d-----w- c:\documents and settings\Hal\Application Data\BitTorrent
2010-05-15 23:48 . 2010-04-07 18:54 439816 ----a-w- c:\documents and settings\Hal\Application Data\Real\Update\setup3.10\setup.exe
2010-05-15 17:10 . 2007-03-23 05:51 -------- d-----w- c:\program files\uTorrent
2010-05-15 04:34 . 2010-03-04 02:34 439816 ----a-w- c:\documents and settings\Phil\Application Data\Real\Update\setup3.10\setup.exe
2010-05-14 22:32 . 2009-05-08 23:35 -------- d-----w- c:\program files\Warcraft III
2010-05-14 21:51 . 2005-09-14 00:36 -------- d-----w- c:\documents and settings\Philip\Application Data\BitTorrent
2010-05-14 04:08 . 2009-05-23 04:33 -------- d-----w- c:\program files\Hotspot Shield
2010-05-13 00:12 . 2006-10-29 07:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 04:25 . 2009-09-26 19:52 -------- d-----w- c:\program files\iTunes
2010-05-12 04:23 . 2007-07-16 07:36 -------- d-----w- c:\program files\Common Files\Apple
2010-05-09 23:44 . 2006-10-13 05:17 -------- d-----w- c:\documents and settings\Philip\Application Data\DivX
2010-05-08 04:04 . 2009-04-08 05:01 117760 -c--a-w- c:\documents and settings\Phil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-05 03:28 . 2006-10-08 15:56 -------- d-----w- c:\documents and settings\Phil\Application Data\DivX
2010-05-05 03:26 . 2005-04-08 03:19 -------- d-----w- c:\program files\DivX
2010-05-05 03:21 . 2009-07-01 15:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-04 16:32 . 2009-12-29 00:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 16:24 . 2009-12-17 02:58 -------- d-----w- c:\program files\McAfee.com
2010-05-04 16:12 . 2006-12-01 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-04 16:12 . 2006-12-01 06:36 -------- d-----w- c:\program files\McAfee
2010-05-04 16:09 . 2009-12-17 02:59 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-29 21:39 . 2009-12-29 00:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-12-29 00:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 00:54 . 2005-08-06 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-27 23:16 . 2009-11-04 23:54 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 23:16 . 2006-12-01 06:38 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 23:16 . 2006-12-01 06:38 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-23 21:52 . 2009-02-27 17:57 -------- d-----w- c:\documents and settings\Philip\Application Data\U3
2010-04-22 03:46 . 2010-04-01 03:45 439816 ----a-w- c:\documents and settings\Philip\Application Data\Real\Update\setup3.10\setup.exe
2010-04-19 22:55 . 2005-01-18 04:55 -------- d-----w- c:\documents and settings\Philip\Application Data\Ahead
2010-04-12 05:46 . 2006-05-23 06:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-11 17:07 . 2006-05-01 00:26 -------- d-----w- c:\documents and settings\Philip\Application Data\uTorrent
2010-04-09 20:32 . 2010-04-09 20:32 -------- d-----w- c:\documents and settings\Hal\Application Data\CyberLink
2010-04-09 07:12 . 2007-02-06 20:30 -------- d-----w- c:\documents and settings\Hal\Application Data\Apple Computer
2010-04-08 19:20 . 2010-04-08 19:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20 . 2010-04-08 19:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-08 19:08 . 2010-01-24 19:44 -------- d-----w- c:\documents and settings\Hal\Application Data\uTorrent
2010-04-07 08:36 . 2010-04-07 08:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 08:30 . 2007-12-04 00:15 -------- d-----w- c:\program files\QuickTime
2010-04-07 08:06 . 2009-11-01 06:03 -------- d-----w- c:\program files\Safari
2010-04-07 08:00 . 2010-04-07 08:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 01:58 . 2007-05-30 06:26 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2006-04-23 02:14 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2006-04-23 02:14 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2005-01-26 09:03 44944 ----a-w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-25 03:04 . 2010-03-25 03:04 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx716.tmp
2010-03-25 03:03 . 2010-03-25 03:03 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx715.tmp
2010-03-25 03:03 . 2010-03-25 03:03 0 ----a-w- c:\documents and settings\All Users\Application Data\ISx711.tmp
2010-03-22 09:11 . 2004-12-23 23:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 04:12 . 2007-07-01 07:42 100254 ----a-w- c:\windows\War3Unin.dat
2010-03-10 04:14 . 2007-07-01 06:15 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-09 11:09 . 2003-03-31 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-26 05:43 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-12-24 00:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-19 18:36 . 2010-02-19 18:22 47360 ----a-w- c:\documents and settings\Philip\Application Data\pcouffin.sys
2010-02-19 18:36 . 2010-02-19 18:22 47360 ----a-w- c:\documents and settings\Philip\Application Data\pcouffin.sys
2010-02-19 18:22 . 2006-04-23 03:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-17 15:10 . 2003-03-31 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2007-11-25 16:57 . 2007-11-25 16:57 604 ---ha-w- c:\program files\STLL Notifier
2004-03-11 20:27 . 2004-12-24 01:04 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2002-07-27 00:02 . 2005-01-03 16:58 153088 ----a-w- c:\program files\UNWISE.EXE
2010-04-27 23:16 . 2010-05-04 16:01 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2003-03-31 12:00 . 2003-03-31 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2003-03-31 12:00 50688 --sh--w- c:\windows\twain_32.dll
2005-04-08 03:19 . 2005-04-08 03:19 56 --sh--r- c:\windows\system32\634B638EB3.sys
2008-04-14 00:11 . 2003-03-31 12:00 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2003-03-31 12:00 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2003-03-31 12:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2003-03-31 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2003-03-31 12:00 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2003-03-31 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 18:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-23 04:33 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-19 67128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-26 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 185896]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 65536]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-09 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-03-26 1185328]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 13:39 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-02 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-04 339968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Hal\Start Menu\Programs\Startup\
BitTorrent.lnk - c:\program files\BitTorrent\bittorrent.exe [2008-9-26 654648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-10-5 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=c:\windows\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2005-04-28 00:23 788992 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-09-04 20:49 1994480 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"d:\\3dsmax6\\3dsmax.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"d:\\monitor.exe"=
"d:\\manager.exe"=
"d:\\server.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SPSS Viewer\\SPSSNAV.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:3\\Ares\\Ares.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:5\\Ares\\Ares.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\8.1.1.50-8876480SL\\Program\\Restart.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\dvd43\\DVD43_Tray.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [30/05/2005 10:50 PM 11776]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [31/01/2005 10:08 AM 4064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [04/05/2010 10:01 AM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 2:49 PM 74480]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [31/03/2010 6:24 PM 194608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [16/12/2009 9:02 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [04/05/2010 10:00 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [04/05/2010 10:00 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [04/05/2010 10:02 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [04/05/2010 10:01 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [04/05/2010 10:01 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [04/05/2010 10:01 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [04/05/2010 10:01 AM 88480]
S0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys --> c:\windows\system32\DRIVERS\viasraid.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:38 PM 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [19/09/2006 3:30 PM 17432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [31/01/2005 10:04 AM 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [04/05/2010 10:01 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [04/05/2010 10:01 AM 83496]
S3 Ql1ipo;Ql1ipo; [x]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\drivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [10/06/2009 5:53 AM 341376]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 2:50 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:38]

2010-05-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.defaulthomepage.info/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file://f:\components\Liquid.ocx
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&q=
FF - component: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");c:\program files\Mozilla Firefox\defaults\pref\firefox.js:pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{013b462b-5ee3-4c46-830f-310178bcc424} - (no file)
BHO-{32566f20-b13b-4230-90b0-e70f09e6aff3} - (no file)
BHO-{A429ECAE-A5B5-44A3-BBC8-A5D063470D59} - (no file)
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-BulentsScreenRecorder3 - c:\program files\Bulent's Screen Recorder\Uninstall Screen Recorder 3.exe
AddRemove-Google Video Uploader - c:\program files\Google Video\Uninstall.exe
AddRemove-{7B63B2922B174135AFC0E1377DD81EC2} - c:\program files\DivX\DivXCodecUninstall.exe
AddRemove-{CB0888EE-96D8-4713-84DC-36462C33AEB4} - c:\program files\Bazooka Scanner\Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-16 11:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\ver27.tmp 352 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-05-16 11:28:15
ComboFix-quarantined-files.txt 2010-05-16 17:27

Pre-Run: 5,115,789,312 bytes free
Post-Run: 5,278,982,144 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=2,3,4,5,6,7
- - End Of File - - C6F13865E2607E1A3141599B35DBBA86


#4 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:04:07 AM

Posted 16 May 2010 - 05:13 PM

Hi there,

Uninstall this program in Add / Remove Programs:

Ask Toolbar

Close any open browsers, and close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the codebox below into it:

CODE
File::
c:\documents and settings\All Users\Application Data\ISx711.tmp
c:\documents and settings\All Users\Application Data\ISx715.tmp
c:\documents and settings\All Users\Application Data\ISx716.tmp
c:\windows\system32\634B638EB3.sys

Driver::
Ql1ipo
  • Save this as CFScript.txt, in the same location as ComboFix.exe


Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#5 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 17 May 2010 - 08:17 AM

Here's my new Combo Fix Log:

ComboFix 10-05-15.03 - Phil 17/05/2010 2:37.8.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1021 [GMT -6:00]
Running from: c:\documents and settings\Phil\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Phil\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\ISx711.tmp"
"c:\documents and settings\All Users\Application Data\ISx715.tmp"
"c:\documents and settings\All Users\Application Data\ISx716.tmp"
"c:\windows\system32\634B638EB3.sys"
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\ISx711.tmp
c:\documents and settings\All Users\Application Data\ISx715.tmp
c:\documents and settings\All Users\Application Data\ISx716.tmp
c:\windows\system32\634B638EB3.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_QL1IPO
-------\Service_Ql1ipo


((((((((((((((((((((((((( Files Created from 2010-04-17 to 2010-05-17 )))))))))))))))))))))))))))))))
.

2010-05-12 04:24 . 2010-05-12 04:24 -------- d-----w- c:\program files\iPod
2010-05-12 04:14 . 2010-05-12 04:14 -------- d-----w- c:\program files\Bonjour
2010-05-12 04:11 . 2010-05-12 04:11 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.1.12\SetupAdmin.exe
2010-05-07 04:33 . 2010-05-07 04:33 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-05-05 03:27 . 2010-05-05 03:27 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-05 03:26 . 2010-05-05 03:20 754984 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
2010-05-05 03:26 . 2010-05-05 03:19 1180952 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
2010-05-05 03:26 . 2009-12-04 01:18 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Plus DirectShow Filters\DivXDSFiltersUninstall.exe
2010-05-05 03:26 . 2009-12-04 01:18 530625 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivX7\DivX Converter\DivXConverterUninstall.exe
2010-05-05 03:26 . 2010-05-05 03:26 56766 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 56978 ----a-w- c:\documents and settings\All Users\Application Data\DivX\WebPlayer\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 53600 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Update\Uninstaller.exe
2010-05-05 03:26 . 2010-05-05 03:26 57679 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Player\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 84040 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TransferWizard\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 57054 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSDesktopComponents\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54166 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 57532 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSASPDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 56458 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54174 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DSAACDecoder\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54153 ----a-w- c:\documents and settings\All Users\Application Data\DivX\DFXPlugin\Uninstaller.exe
2010-05-05 03:23 . 2010-05-05 03:23 54128 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Converter\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54629 ----a-w- c:\documents and settings\All Users\Application Data\DivX\TranscodeEngine\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54101 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MPEG2Plugin\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 57409 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ControlPanel\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-05-05 03:22 . 2010-05-05 03:22 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
2010-05-05 03:21 . 2010-05-05 03:21 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
2010-05-05 03:20 . 2010-05-05 03:20 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-05-05 03:20 . 2010-05-05 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-05-04 16:01 . 2010-04-27 23:16 9344 ----a-w- c:\windows\system32\drivers\mfeclnk.sys
2010-05-04 16:01 . 2010-04-27 23:16 88480 ----a-w- c:\windows\system32\drivers\mfendisk.sys
2010-05-04 16:01 . 2010-04-27 23:16 83496 ----a-w- c:\windows\system32\drivers\mferkdet.sys
2010-05-04 16:01 . 2010-04-27 23:16 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2010-05-04 16:01 . 2010-04-27 23:16 312616 ----a-w- c:\windows\system32\drivers\mfefirek.sys
2010-05-04 16:01 . 2010-04-27 23:16 95568 ----a-w- c:\windows\system32\drivers\mfeapfk.sys
2010-05-04 16:01 . 2010-04-27 23:16 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2010-05-04 15:36 . 2010-05-04 15:36 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-04 06:06 . 2010-05-10 20:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-04-21 18:56 . 2005-06-06 16:29 110592 ----a-w- c:\documents and settings\Philip\Application Data\U3\temp\cleanup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-17 07:51 . 2009-09-24 18:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-05-16 17:02 . 2007-03-23 05:52 -------- d-----w- c:\documents and settings\Phil\Application Data\uTorrent
2010-05-16 15:57 . 2008-10-20 01:36 -------- d-----w- c:\documents and settings\Philip\Application Data\DNA
2010-05-16 03:16 . 2008-10-20 01:36 -------- d-----w- c:\program files\DNA
2010-05-16 03:13 . 2006-03-13 01:06 -------- d-----w- c:\documents and settings\Hal\Application Data\BitTorrent
2010-05-15 23:48 . 2010-04-07 18:54 439816 ----a-w- c:\documents and settings\Hal\Application Data\Real\Update\setup3.10\setup.exe
2010-05-15 17:10 . 2007-03-23 05:51 -------- d-----w- c:\program files\uTorrent
2010-05-15 04:34 . 2010-03-04 02:34 439816 ----a-w- c:\documents and settings\Phil\Application Data\Real\Update\setup3.10\setup.exe
2010-05-14 22:32 . 2009-05-08 23:35 -------- d-----w- c:\program files\Warcraft III
2010-05-14 21:51 . 2005-09-14 00:36 -------- d-----w- c:\documents and settings\Philip\Application Data\BitTorrent
2010-05-14 04:08 . 2009-05-23 04:33 -------- d-----w- c:\program files\Hotspot Shield
2010-05-13 00:12 . 2006-10-29 07:50 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-12 04:25 . 2009-09-26 19:52 -------- d-----w- c:\program files\iTunes
2010-05-12 04:23 . 2007-07-16 07:36 -------- d-----w- c:\program files\Common Files\Apple
2010-05-09 23:44 . 2006-10-13 05:17 -------- d-----w- c:\documents and settings\Philip\Application Data\DivX
2010-05-08 04:04 . 2009-04-08 05:01 117760 -c--a-w- c:\documents and settings\Phil\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-05 03:28 . 2006-10-08 15:56 -------- d-----w- c:\documents and settings\Phil\Application Data\DivX
2010-05-05 03:26 . 2005-04-08 03:19 -------- d-----w- c:\program files\DivX
2010-05-05 03:21 . 2009-07-01 15:19 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-05-04 16:32 . 2009-12-29 00:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-04 16:24 . 2009-12-17 02:58 -------- d-----w- c:\program files\McAfee.com
2010-05-04 16:12 . 2006-12-01 06:34 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-04 16:12 . 2006-12-01 06:36 -------- d-----w- c:\program files\McAfee
2010-05-04 16:09 . 2009-12-17 02:59 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-29 21:39 . 2009-12-29 00:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-12-29 00:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 00:54 . 2005-08-06 16:38 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-04-27 23:16 . 2009-11-04 23:54 385880 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2010-04-27 23:16 . 2006-12-01 06:38 51688 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2010-04-27 23:16 . 2006-12-01 06:38 152320 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2010-04-23 21:52 . 2009-02-27 17:57 -------- d-----w- c:\documents and settings\Philip\Application Data\U3
2010-04-22 03:46 . 2010-04-01 03:45 439816 ----a-w- c:\documents and settings\Philip\Application Data\Real\Update\setup3.10\setup.exe
2010-04-19 22:55 . 2005-01-18 04:55 -------- d-----w- c:\documents and settings\Philip\Application Data\Ahead
2010-04-12 05:46 . 2006-05-23 06:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-11 17:07 . 2006-05-01 00:26 -------- d-----w- c:\documents and settings\Philip\Application Data\uTorrent
2010-04-09 20:32 . 2010-04-09 20:32 -------- d-----w- c:\documents and settings\Hal\Application Data\CyberLink
2010-04-09 07:12 . 2007-02-06 20:30 -------- d-----w- c:\documents and settings\Hal\Application Data\Apple Computer
2010-04-08 19:20 . 2010-04-08 19:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 19:20 . 2010-04-08 19:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-04-08 19:08 . 2010-01-24 19:44 -------- d-----w- c:\documents and settings\Hal\Application Data\uTorrent
2010-04-07 08:36 . 2010-04-07 08:35 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-07 08:30 . 2007-12-04 00:15 -------- d-----w- c:\program files\QuickTime
2010-04-07 08:06 . 2009-11-01 06:03 -------- d-----w- c:\program files\Safari
2010-04-07 08:00 . 2010-04-07 08:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2010-03-31 01:58 . 2007-05-30 06:26 133616 ------w- c:\windows\system32\pxafs.dll
2010-03-31 01:58 . 2006-04-23 02:14 125424 ------w- c:\windows\system32\pxinsi64.exe
2010-03-31 01:58 . 2006-04-23 02:14 123888 ------w- c:\windows\system32\pxcpyi64.exe
2010-03-31 01:58 . 2005-01-26 09:03 44944 ----a-w- c:\windows\system32\drivers\pxhelp20.sys
2010-03-22 09:11 . 2004-12-23 23:53 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-03-11 04:12 . 2007-07-01 07:42 100254 ----a-w- c:\windows\War3Unin.dat
2010-03-10 04:14 . 2007-07-01 06:15 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-03-09 11:09 . 2003-03-31 12:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 17:59 . 2010-03-08 17:59 94208 ----a-w- c:\windows\system32\dpl100.dll
2010-02-26 05:43 . 2003-03-31 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-12-24 00:05 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2003-03-31 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-19 19:27 . 2010-02-19 19:27 720384 ----a-w- c:\windows\system32\DivX.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2010-02-19 19:27 . 2010-02-19 19:27 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2010-02-19 19:27 . 2010-02-19 19:27 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2010-02-19 19:27 . 2010-02-19 19:27 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2010-02-19 19:27 . 2010-02-19 19:27 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2010-02-19 18:36 . 2010-02-19 18:22 47360 ----a-w- c:\documents and settings\Philip\Application Data\pcouffin.sys
2010-02-19 18:36 . 2010-02-19 18:22 47360 ----a-w- c:\documents and settings\Philip\Application Data\pcouffin.sys
2010-02-19 18:22 . 2006-04-23 03:11 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2010-02-17 15:10 . 2003-03-31 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2002-08-29 01:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2007-11-25 16:57 . 2007-11-25 16:57 604 ---ha-w- c:\program files\STLL Notifier
2004-03-11 20:27 . 2004-12-24 01:04 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2002-07-27 00:02 . 2005-01-03 16:58 153088 ----a-w- c:\program files\UNWISE.EXE
2010-04-27 23:16 . 2010-05-04 16:01 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2003-03-31 12:00 . 2003-03-31 12:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12 . 2003-03-31 12:00 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11 . 2003-03-31 12:00 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12 . 2003-03-31 12:00 57344 --sha-w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12 . 2003-03-31 12:00 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12 . 2003-03-31 12:00 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12 . 2003-03-31 12:00 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12 . 2003-03-31 12:00 11776 --sh--w- c:\windows\system32\regsvr32.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-05-16_17.22.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-17 07:52 . 2010-05-17 07:52 16384 c:\windows\Temp\Perflib_Perfdata_e0.dat
+ 2004-12-23 23:39 . 2010-05-17 02:48 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2004-12-23 23:39 . 2010-05-16 12:08 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-05-16 22:03 . 2010-05-17 02:48 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2010-01-16 05:06 . 2010-05-16 12:08 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2009-05-23 04:33 218160 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-21 68856]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-02-19 67128]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-26 149040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-25 185896]
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 65536]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"RemoteControl"="c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-09 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-03-26 1185328]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-09-01 221184]
"LogitechVideo[inspector]"="c:\program files\Logitech\Video\InstallHelper.exe" [2005-09-07 13:39 73728]
"LogitechCameraService(E)"="c:\windows\system32\ElkCtrl.exe" [2004-11-02 262144]
"LogitechCameraAssistant"="c:\program files\Logitech\Video\CameraAssistant.exe" [2005-09-07 434176]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 49152]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-27 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-04 339968]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"Freecorder FLV Service"="c:\program files\Freecorder\FLVSrvc.exe" [2009-11-15 158752]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-02 1180976]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Hal\Start Menu\Programs\Startup\
BitTorrent.lnk - c:\program files\BitTorrent\bittorrent.exe [2008-9-26 654648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2005-10-5 49254]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-7-21 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-12 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PageKeeper Jobs.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PageKeeper Jobs.lnk
backup=c:\windows\pss\PageKeeper Jobs.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
2005-04-28 00:23 788992 ----a-w- c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 -csha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2009-09-04 20:49 1994480 -c--a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\zzzsheepyzzz\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"d:\\3dsmax6\\3dsmax.exe"=
"c:\\WINDOWS\\system32\\javaw.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\kdx\\khost.exe"=
"d:\\monitor.exe"=
"d:\\manager.exe"=
"d:\\server.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\SPSS Viewer\\SPSSNAV.EXE"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:3\\Ares\\Ares.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:5\\Ares\\Ares.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RecordingManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\8.1.1.50-8876480SL\\Program\\Restart.exe"=
"c:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"=
"c:\\Program Files\\dvd43\\DVD43_Tray.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 MrFilter;EasyWrite Driver;c:\windows\system32\drivers\MRFilter.sys [30/05/2005 10:50 PM 11776]
R1 ATMhelpr;ATMhelpr;c:\windows\system32\drivers\ATMHELPR.SYS [31/01/2005 10:08 AM 4064]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [04/05/2010 10:01 AM 82952]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [04/09/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [04/09/2009 2:49 PM 74480]
R2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [31/03/2010 6:24 PM 194608]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [16/12/2009 9:02 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [04/05/2010 10:00 AM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [04/05/2010 10:00 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [04/05/2010 10:02 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [04/05/2010 10:01 AM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [04/05/2010 10:01 AM 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [04/05/2010 10:01 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [04/05/2010 10:01 AM 88480]
S0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys --> c:\windows\system32\DRIVERS\viasraid.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/02/2010 1:38 PM 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\IcRecUsb.sys [19/09/2006 3:30 PM 17432]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\aspi32.sys [31/01/2005 10:04 AM 16512]
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Phil\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [04/05/2010 10:01 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [04/05/2010 10:01 AM 83496]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\drivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [10/06/2009 5:53 AM 341376]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [04/09/2009 2:50 PM 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-05-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:38]

2010-05-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-06 19:38]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.defaulthomepage.info/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Webshots Photo Search - c:\program files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {22D4879A-92DB-470D-8A83-E158797D8176} - file://f:\components\Liquid.ocx
FF - ProfilePath - c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1060933&q=
FF - component: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Phil\Application Data\Mozilla\Firefox\Profiles\6i82zj2e.default\extensions\{1392b8d2-5c05-419f-a8f6-b9f15a596612}\components\RadioWMPCore.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Phil\Application Data\Facebook\npfbplugin_1_0_0.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4E7FF8BB-0A5A-4AA3-B764-B39BA9A13E38", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDB24F189F-FB14-4EFD-8B9D-217EC6C84EA1", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID86ED3659-02F6-465D-8F19-A9334614CCC3", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID5D7F48C0-CB49-4ea6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CIDA43C6FC7-09F6-4E04-B8E3-683F3BDFEF7C", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activexFF10.js - pref("capability.policy.default.ClassID.CID4C8D6404-A9F6-4236-8488-6C5732CB3BFA", "AllAccess");c:\program files\Mozilla Firefox\defaults\pref\firefox.js:pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-17 02:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2536)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\documents and settings\Phil\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\progra~1\mcafee\SITEAD~1\mcieplg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-17 02:53:17
ComboFix-quarantined-files.txt 2010-05-17 08:53
ComboFix2.txt 2010-05-16 17:28

Pre-Run: 5,294,321,664 bytes free
Post-Run: 5,230,182,400 bytes free

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=2,3,4,5,6,7
- - End Of File - - 4FC9F77B486D06A601A2A7B127C967A0


#6 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:04:07 AM

Posted 17 May 2010 - 12:01 PM

Hi there,

STEP 1 - TFC

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

STEP 2 - MBAM

Open Malwarebyte's Anti-Malware.
  • Under the Updates tab, click Check for Updates. Let the updates install (if any).
  • After that, under the Scanner tab, click Perform Quick Scan and then Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM''s database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

STEP 3 - Kaspersky

Using Internet Explorer or Firefox, visit Kaspersky Online Scanner

1. Click Accept, when prompted to download and install the program files and database of malware definitions.

2. To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan. Click HERE to see how to disable the most common antivirus programs.
3. Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.
Please be patient as this can take quite a long time to download.
  • Once the update is complete, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, adware, dialers, and other riskware
    • Archives
    • E-mail databases
  • Click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View report... at the bottom.
  • Click the Save report... button.



  • Change the Files of type dropdown box to Text file (.txt) and name the file KasReport.txt to save the file to your desktop so that you may post it in your next reply

STEP 4 - Reply

Please reply with the following logs:
  • MBAM Log
  • Kaspersky Log

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#7 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 18 May 2010 - 07:10 PM

Here is the MBAM Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4110

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

17/05/2010 6:46:54 PM
mbam-log-2010-05-17 (18-46-54).txt

Scan type: Quick scan
Objects scanned: 151707
Time elapsed: 10 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And the Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, May 18, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, May 18, 2010 12:49:16
Records in database: 4123465
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Objects scanned: 141053
Threats found: 4
Infected objects found: 5
Suspicious objects found: 0
Scan duration: 04:03:35


File name / Threat / Threats count
C:\Documents and Settings\Hal\Application Data\Mozilla\Firefox\Profiles\zqm2wwnn.default\Cache(2)\FC1C21C6d01 Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Philip\Desktop\Emergency food supplies2\Emergency Food supplies\FRAPS255.EXE Infected: Trojan.Win32.Buzus.dhsi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\pci.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{44DCF00E-DBD1-42A8-B646-67AC701C9DBB}\RP160\A0064231.sys Infected: Rootkit.Win32.TDSS.ap 1
G:\My Documents\Downloads\Registry Easy 5.6(trees)\Registry Easy 5.6(trees).rar Infected: Virus.Win32.Induc.a 1

Selected area has been scanned.


#8 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:04:07 AM

Posted 19 May 2010 - 12:39 AM

Hi there,

Run OTL.
  • Under the Custom Scans/Fixes box at the bottom, paste in the following:
    CODE
    :Files
    C:\Documents and Settings\Hal\Application Data\Mozilla\Firefox\Profiles\zqm2wwnn.default\Cache(2)\FC1C21C6d01
    C:\Documents and Settings\Philip\Desktop\Emergency food supplies2\Emergency Food supplies\FRAPS255.EXE
    G:\My Documents\Downloads\Registry Easy 5.6(trees)\Registry Easy 5.6(trees).rar

    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top.
  • Let the program run unhindered, reboot the PC when it is done.

Are you still having any problems?

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image


#9 smartjock99

smartjock99
  • Topic Starter

  • Members
  • 113 posts
  • OFFLINE
  •  
  • Local time:03:07 AM

Posted 19 May 2010 - 09:52 AM

Everything is running great! No more misdirection of google. I just need to know what I should do with most of the software programs (Combo Fix, etc.) that I was asked to download during the cleaning process.

Thanks for all your help.



#10 mpascal

mpascal

    Math Nerd


  • Members
  • 1,653 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:04:07 AM

Posted 20 May 2010 - 03:46 PM

Hi there,

Now that your system appears to be clean, I'll give you some instructions to remove the tools we have used and I'll offer some advice to help prevent future infection.

STEP 1 - Clear Restore Points

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    CODE
    :Commands
    [CLEARALLRESTOREPOINTS]

  • Then click the Run Fix button at the top.
STEP 2 - Uninstall ComboFix
  • Rename the Combo-Fix file on your desktop to Uninstall.
  • Double click on Uninstall to uninstall the program.
STEP 3 - Remove Tools

Run OTL
  • Click Clean Up in the upper right corner.
  • This will remove most if not all the tools we used while we were fixing your computer. Feel free to delete any others it leaves behind.
Now that you have a clean system, I would like to share with you some advice to help reduce the risk of future infection.

+++++++++++++++++++++++++++++++++++++++++++++++

I recommend that you install both of the following free programs if you haven''t already, as they can greatly increase the security of your system. It is not essential that you have these programs installed, but they do a very good job at preventing infection if your system is scanned regularly.+++++++++++++++++++++++++++++++++++++++++++++++

A good firewall is also useful for keeping a system infection free. You should only have ONE firewall installed on your computer - having more than one will not increase the security of your system. Here is a small list of some free firewalls if you don't already have one installed:An antivirus program is also a program that should be installed on all computers. These will help reduce the risk that your computer gets infected by viruses or trojans in the future. Keep in mind that you only need ONE antivirus program installed on your computer. If you have more than one installed, they can often conflict and leave your system unprotected. Here are a few free antivirus programs if you don't have one installed:Having up to date Antivirus and Firewall software is vital to keeping a healthy, infection free system

+++++++++++++++++++++++++++++++++++++++++++++++

I also suggest you take a look at Preventing Malware and Safe Computing, a guide by Rorschach112 which contains more great information about protecting your system.

To find out more information on how your system got infected, or how to protect yourself on the internet in the future, this article by Tony Klein provides some great information.

Good luck and safe surfing!

-mpascal

Posted Image

Stay with your topic! Topics that go 4 days without a reply will be closed. PM me to reopen.

Please don't PM asking for support. Post on the forums instead.

My help is free, but if you wish to donate and help continue my fight against malware, click here: Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users