Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet Disabled, Themes Disabled, Brower Hijacking.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Avron

Avron

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 01 June 2010 - 04:15 AM

Hey all, decided to post this here since I had think I had posted it in the wrong forums before.


Lets start at the begging, my Chrome just stopped working one day, I thought it was a .net framework update that had caused it stop working as it had in the past so I just switched back to Firefox until an update would come out. But about two weeks later, I know two weeks im a dumbass, I started getting google redirects and I have Antivirius XP installed on my computer, i preceded to remove it with MBAW and kicked its ass out of my registry but it came back and back and back. Now it seems to be gone but today I got Antivirus Soft, I killed it as well but now my redirects are back, Super-Anti, Spybot, MWAB and Spyware doctor just do not find anything. I've went all over my registry and I think I have it not working again, but I know it will come back. Also when I restart I have to re-enable themes, sound drivers and my DNS server so i can have an IP. Help, if you can =/.


I can post any logs needed, I have Hijack this and can get other programs.


Also sometimes I just have to restart my computer because my internet dies and I also can't open task manager, I don't know if that's a virus, Gives me like a failed to initialize visualize error.

After several more scans I'm not getting anything so I don't now if its still there, I unplugged my modem when I did these set of scans. Also im showing these exact symptoms, http://www.bleepingcomputer.com/forums/t/320375/windows-xp-theme-is-no-longer-seen-along-with-no-internet-access-whatsoever/ and http://www.bleepingcomputer.com/forums/topic320488.html


Edit: I'm getting my Google searches re-directed again.

HijackThis Log
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:14:14 AM, on 6/1/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Vent\Ventrilo.exe
C:\Program Files\Realtek\Audio\InstallShield\RTHDCPL.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://```````````````````````````````````/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll (file missing)
O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HitmanPro35] "C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe" /scan:boot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1223450083218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1223450074750
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.6.0_10) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 7377 bytes





BC AdBot (Login to Remove)

 


#2 Avron

Avron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 02 June 2010 - 02:17 AM

Sorry if bumping is bad, anyone out there that can lend a hand? Don't mean to pester.

#3 Avron

Avron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 03 June 2010 - 05:16 AM

Anything else I can post for people to see if they can help?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 03 June 2010 - 05:52 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Avron

Avron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 04 June 2010 - 02:28 PM

Thanks for the help, I think i messed up with GMER it crashed twice, all run it again soon and post that log.

Here is the OTL log, I didn't have any extra.txt


OTL logfile created on: 6/4/2010 12:25:10 PM - Run 2
OTL by OldTimer - Version 3.2.5.3 Folder = C:\Documents and Settings\josh\My Documents\Downloads
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 77.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 89.00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 298.08 Gb Total Space | 39.28 Gb Free Space | 13.18% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: STARKILLER
Current User Name: josh
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/06/03 11:24:11 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\josh\My Documents\Downloads\OTL.exe
PRC - [2010/04/01 10:58:04 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/04/22 21:11:32 | 001,675,776 | ---- | M] (Flagship Industries, Inc.) -- C:\Program Files\Vent\Ventrilo.exe
PRC - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/05/13 18:07:24 | 000,080,392 | ---- | M] () -- C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
PRC - [2008/05/07 00:39:52 | 016,862,208 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\Realtek\Audio\InstallShield\RTHDCPL.exe
PRC - [2004/08/04 05:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe


========== Modules (SafeList) ==========

MOD - [2010/06/03 11:24:11 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\josh\My Documents\Downloads\OTL.exe
MOD - [2008/05/13 10:13:36 | 000,077,824 | ---- | M] (SuperAdBlocker.com) -- C:\Program Files\SUPERAntiSpyware\SASSEH.DLL
MOD - [2004/08/04 05:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (StyleXPService)
SRV - File not found [Auto | Stopped] -- -- (gupdate) Google Update Service (gupdate)
SRV - File not found [Disabled | Stopped] -- -- (Browser Defender Update Service)
SRV - File not found [Auto | Stopped] -- -- (Bonjour Service)
SRV - [2009/07/26 07:43:14 | 000,025,832 | ---- | M] (BioWare) [Disabled | Stopped] -- C:\Program Files\Dragon Age\bin_ship\daupdatersvc.service.exe -- (DAUpdaterSvc)
SRV - [2009/06/04 10:53:02 | 000,066,048 | ---- | M] (NOS Microsystems Ltd.) [Disabled | Stopped] -- C:\Program Files\NOS\bin\getPlus_HelperSvc.exe -- (getPlus® Helper) getPlus®
SRV - [2009/06/02 11:56:10 | 002,862,428 | ---- | M] (INCA Internet Co., Ltd.) [On_Demand | Stopped] -- C:\WINDOWS\System32\GameMon.des -- (npggsvc)
SRV - [2009/04/02 12:47:04 | 000,234,888 | ---- | M] () [Auto | Stopped] -- C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe -- (ASKUpgrade)
SRV - [2009/01/24 02:26:20 | 000,214,256 | ---- | M] (CA, Inc.) [On_Demand | Stopped] -- C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe -- (CaCCProvSP)
SRV - [2008/11/17 14:34:53 | 000,185,584 | ---- | M] (CA, Inc.) [On_Demand | Stopped] -- C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe -- (PPCtlPriv)
SRV - [2008/11/09 13:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/05/13 18:07:24 | 000,080,392 | ---- | M] () [Auto | Running] -- C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe -- (GEST Service)
SRV - [2007/09/26 14:55:04 | 000,283,912 | ---- | M] (CA, Inc.) [Disabled | Stopped] -- C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe -- (ITMRTSVC)
SRV - [2005/10/06 18:12:30 | 000,855,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Media Connect 2\wmccds.exe -- (WMConnectCDS)


========== Driver Services (SafeList) ==========

DRV - [2010/06/03 21:50:47 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2010/04/27 17:30:10 | 000,061,440 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/04/06 18:13:04 | 005,912,096 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2009/11/18 07:17:00 | 001,395,800 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Monfilt.sys -- (Monfilt)
DRV - [2009/11/18 07:16:00 | 001,691,480 | ---- | M] (Creative) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Ambfilt.sys -- (Ambfilt)
DRV - [2009/10/22 00:59:46 | 000,138,808 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\PnkBstrK.sys -- (PnkBstrK)
DRV - [2009/09/23 16:10:06 | 000,207,280 | ---- | M] (PC Tools) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\PCTCore.sys -- (PCTCore)
DRV - [2009/02/18 15:44:00 | 006,308,224 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2008/10/09 17:35:27 | 000,717,296 | ---- | M] (Duplex Secure Ltd.) [Kernel | Boot | Stopped] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2008/09/16 10:15:00 | 000,009,088 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\RivaTuner v2.11\RivaTuner32.sys -- (RivaTuner32)
DRV - [2008/04/13 09:36:05 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/01/14 03:06:32 | 000,021,632 | ---- | M] (ManyCam LLC.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ManyCam.sys -- (ManyCam)
DRV - [2008/01/03 07:10:16 | 000,105,856 | R--- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/08/06 17:15:07 | 000,033,052 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2005/09/15 12:24:34 | 000,476,672 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xnacc.sys -- (xnacc)
DRV - [2004/04/10 09:42:36 | 000,002,944 | ---- | M] (cansoft@livewiredev.com) [Kernel | System | Running] -- C:\WINDOWS\system32\mbmiodrvr.sys -- (mbmiodrvr)
DRV - [2003/04/02 16:54:16 | 000,020,648 | R--- | M] (Thomson Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netrcacm.sys -- (netrcacm)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://toolbar.ask.com/toolbarv/askRedirec...amp;gc=1&q=


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 1
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes

IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,AlwaysUseDefaultPrinter = yes
IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://```````````````````````````````````/
IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll File not found
IE - HKU\S-1-5-21-854245398-879983540-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/21 01:01:00 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/06/01 02:17:41 | 000,000,000 | ---D | M]

[2010/04/21 01:01:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\josh\Application Data\Mozilla\Extensions
[2009/06/07 00:16:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\josh\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/31 23:16:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\josh\Application Data\Mozilla\Firefox\Profiles\xa9byajt.default\extensions
[2010/06/03 21:53:49 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/06/01 02:17:43 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/01 02:17:26 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll
[2009/10/12 00:36:03 | 000,238,776 | ---- | M] (Pando Networks) -- C:\Program Files\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/05/30 23:59:22 | 000,370,657 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 12778 more lines...
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll File not found
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKLM\..\Toolbar: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll File not found
O3 - HKU\S-1-5-21-854245398-879983540-682003330-1003\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (Ask.com)
O3 - HKU\S-1-5-21-854245398-879983540-682003330-1003\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll ()
O3 - HKU\S-1-5-21-854245398-879983540-682003330-1003\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll File not found
O4 - HKLM..\Run: [HitmanPro35] C:\Program Files\Hitman Pro 3.5\HitmanPro35.exe (SurfRight B.V.)
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKU\S-1-5-21-854245398-879983540-682003330-1003..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer Networking Limited)
O4 - HKU\S-1-5-21-854245398-879983540-682003330-1003..\Run: [Steam] c:\program files\steam\steam.exe (Valve Corporation)
O4 - Startup: C:\Documents and Settings\josh\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O4 - Startup: C:\Documents and Settings\Liz\Start Menu\Programs\Startup\LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-854245398-879983540-682003330-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\Program Files\Bonjour\mdnsNSP.dll File not found
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/microsoftu...b?1223450083218 (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1223450074750 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 76.85.229.110 76.85.229.111
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\WB: DllName - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll (Stardock)
O24 - Desktop WallPaper: C:\Documents and Settings\josh\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\josh\Application Data\Mozilla\Firefox\Desktop Background.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/09/23 14:08:22 | 000,000,020 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{05d910e5-ae34-11dd-b579-001fd08a92c3}\Shell - "" = AutoRun
O33 - MountPoints2\{05d910e5-ae34-11dd-b579-001fd08a92c3}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{05d910e5-ae34-11dd-b579-001fd08a92c3}\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKU\S-1-5-21-854245398-879983540-682003330-1003\...exe [@ = exefile] -- Reg Error: Key error. File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/06/01 02:17:53 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/06/01 02:17:41 | 000,411,368 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/06/01 02:17:41 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/01 02:17:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/01 02:17:41 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/01 02:17:41 | 000,073,728 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/05/31 03:08:04 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/05/31 02:55:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\pss
[2010/05/31 02:49:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Hitman Pro
[2010/05/31 02:49:10 | 000,000,000 | ---D | C] -- C:\Program Files\Hitman Pro 3.5
[2010/05/30 23:51:12 | 000,000,000 | ---D | C] -- C:\WINDOWS\CSC
[2010/05/30 22:44:16 | 000,099,584 | ---- | C] (eSXi) -- C:\Documents and Settings\josh\Local Settings\Application Data\asam.exe
[2010/05/30 22:43:14 | 000,099,584 | ---- | C] (eSXi) -- C:\Documents and Settings\josh\Local Settings\Application Data\syssvc.exe
[2010/05/30 22:41:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\josh\Local Settings\Application Data\pfgaianqr
[2010/05/26 21:36:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/22 23:41:41 | 000,000,000 | ---D | C] -- C:\Program Files\NortonInstaller
[2010/05/22 23:41:41 | 000,000,000 | ---D | C] -- C:\Program Files\Data Protection
[2010/05/21 23:41:13 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\josh\Recent
[2010/05/21 23:27:58 | 000,000,000 | -H-D | C] -- C:\WINDOWS\System32\GroupPolicy
[2010/05/21 23:26:59 | 000,000,000 | ---D | C] -- C:\WINDOWS\PRAGMAdnfvxyrbcx
[2010/05/19 13:07:45 | 000,000,000 | ---D | C] -- C:\Documents and Settings\josh\Application Data\BoneTown
[2010/05/19 13:00:42 | 000,000,000 | ---D | C] -- C:\Program Files\BoneTown
[2010/05/17 13:48:40 | 000,000,000 | ---D | C] -- C:\Program Files\StepMania
[2010/05/09 21:05:40 | 000,000,000 | ---D | C] -- C:\World of Warcraft
[2010/05/06 22:27:04 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II Beta 1
[2010/05/06 22:20:03 | 000,000,000 | ---D | C] -- C:\Program Files\StarCraft II Beta
[2010/05/06 22:20:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\josh\My Documents\StarCraft II Beta
[2010/05/06 20:42:24 | 000,000,000 | ---D | C] -- C:\Program Files\Starcraft 2
[18 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/06/04 03:53:32 | 010,747,904 | ---- | M] () -- C:\Documents and Settings\josh\NTUSER.DAT
[2010/06/03 21:50:47 | 000,016,608 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\gdrv.sys
[2010/06/03 21:49:13 | 000,002,228 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/06/03 21:49:12 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/06/02 01:43:33 | 000,693,163 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\1680x1080.jpg
[2010/06/01 02:17:26 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/06/01 02:17:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/06/01 02:17:26 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/06/01 02:17:26 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javacpl.cpl
[2010/06/01 02:17:25 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\deployJava1.dll
[2010/05/31 03:08:04 | 000,001,982 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\HiJackThis.lnk
[2010/05/31 02:57:37 | 000,000,498 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/31 02:57:37 | 000,000,246 | ---- | M] () -- C:\WINDOWS\SYSTEM.INI
[2010/05/31 02:57:37 | 000,000,237 | -HS- | M] () -- C:\boot.ini
[2010/05/31 02:49:29 | 000,015,944 | ---- | M] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/31 02:49:11 | 000,001,663 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/31 00:16:04 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/05/30 23:59:22 | 000,370,657 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/30 22:43:16 | 000,099,584 | ---- | M] (eSXi) -- C:\Documents and Settings\josh\Local Settings\Application Data\syssvc.exe
[2010/05/30 22:43:16 | 000,099,584 | ---- | M] (eSXi) -- C:\Documents and Settings\josh\Local Settings\Application Data\asam.exe
[2010/05/30 16:05:47 | 000,207,737 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2010/05/30 16:05:47 | 000,000,007 | ---- | M] () -- C:\WINDOWS\treeskp.sys
[2010/05/30 16:05:47 | 000,000,007 | ---- | M] () -- C:\WINDOWS\sbacknt.bin
[2010/05/30 15:56:27 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/30 15:56:00 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-682003330-1003UA.job
[2010/05/30 03:53:00 | 000,000,336 | ---- | M] () -- C:\WINDOWS\tasks\PC Medkit.job
[2010/05/30 00:56:00 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-682003330-1003Core.job
[2010/05/28 13:29:09 | 000,393,210 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\Crysis.jpg
[2010/05/27 13:35:42 | 000,044,864 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\birds-shopped-or-not.jpg
[2010/05/27 03:09:21 | 000,062,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\cdrom.sys
[2010/05/26 12:38:27 | 000,209,744 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\time.jpg
[2010/05/26 12:38:00 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/05/22 23:34:26 | 000,024,936 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\snes9x.conf
[2010/05/22 22:38:54 | 000,480,930 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/22 22:38:54 | 000,082,630 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/22 22:37:14 | 000,001,789 | ---- | M] () -- C:\WINDOWS\System32\AUTOEXEC.NT
[2010/05/22 17:36:48 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\ckogp.sys
[2010/05/22 17:27:29 | 000,153,110 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\500x_hl2drew.jpg
[2010/05/22 10:44:20 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\iyfn.sys
[2010/05/21 23:29:59 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\josh\ntuser.pol
[2010/05/17 11:59:52 | 000,128,553 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\ss1002.jpg
[2010/05/17 07:44:39 | 000,019,465 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\Resume.odt
[2010/05/17 07:43:08 | 000,019,458 | ---- | M] () -- C:\Documents and Settings\josh\My Documents\Resume.odt
[2010/05/14 13:31:13 | 000,054,730 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\hmm.jpg
[2010/05/14 13:31:03 | 000,048,099 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\rape.jpg
[2010/05/14 13:30:50 | 000,349,682 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\lost.jpg
[2010/05/14 12:35:37 | 000,048,877 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\a250f22fae0a9e733c936c22e5ee869103552a97_m.jpg
[2010/05/10 03:17:38 | 084,789,760 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\SandBox.exe
[2010/05/09 22:41:57 | 000,000,918 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft Beta.lnk
[2010/05/09 21:11:47 | 015,665,294 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\Cataclysm 4.0.0 11927 enUS.rar
[2010/05/08 04:20:03 | 000,000,023 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\SandBox.wtf
[2010/05/07 22:54:11 | 000,001,775 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\Xpadder.ini
[2010/05/06 22:33:27 | 000,000,851 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/05/05 22:27:18 | 000,026,373 | ---- | M] () -- C:\Documents and Settings\josh\Desktop\scary-bunny.jpg
[18 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/06/02 01:43:32 | 000,693,163 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\1680x1080.jpg
[2010/05/31 03:08:04 | 000,001,982 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\HiJackThis.lnk
[2010/05/31 02:49:27 | 000,015,944 | ---- | C] () -- C:\WINDOWS\System32\drivers\hitmanpro35.sys
[2010/05/31 02:49:11 | 000,001,663 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Hitman Pro 3.5.lnk
[2010/05/28 13:29:08 | 000,393,210 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\Crysis.jpg
[2010/05/27 13:35:42 | 000,044,864 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\birds-shopped-or-not.jpg
[2010/05/26 12:38:26 | 000,209,744 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\time.jpg
[2010/05/22 17:36:48 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\ckogp.sys
[2010/05/22 17:27:28 | 000,153,110 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\500x_hl2drew.jpg
[2010/05/22 10:44:20 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\iyfn.sys
[2010/05/21 23:29:37 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\josh\ntuser.pol
[2010/05/20 14:04:09 | 000,007,857 | ---- | C] () -- C:\Documents and Settings\josh\hs_err_pid71464.log
[2010/05/17 11:59:52 | 000,128,553 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\ss1002.jpg
[2010/05/17 07:44:39 | 000,019,465 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\Resume.odt
[2010/05/17 07:43:07 | 000,019,458 | ---- | C] () -- C:\Documents and Settings\josh\My Documents\Resume.odt
[2010/05/14 13:31:12 | 000,054,730 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\hmm.jpg
[2010/05/14 13:31:02 | 000,048,099 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\rape.jpg
[2010/05/14 13:30:49 | 000,349,682 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\lost.jpg
[2010/05/14 12:35:35 | 000,048,877 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\a250f22fae0a9e733c936c22e5ee869103552a97_m.jpg
[2010/05/09 23:33:37 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\SandBox.wtf
[2010/05/09 23:33:32 | 084,789,760 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\SandBox.exe
[2010/05/09 22:42:24 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\driverinfo.txt
[2010/05/09 21:32:56 | 000,000,918 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\World of Warcraft Beta.lnk
[2010/05/09 21:32:09 | 015,665,294 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\Cataclysm 4.0.0 11927 enUS.rar
[2010/05/06 22:37:09 | 000,001,775 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\Xpadder.ini
[2010/05/06 22:20:03 | 000,000,851 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\StarCraft II Beta.lnk
[2010/05/05 22:27:17 | 000,026,373 | ---- | C] () -- C:\Documents and Settings\josh\Desktop\scary-bunny.jpg
[2010/04/07 10:31:07 | 000,000,007 | ---- | C] () -- C:\WINDOWS\treeskp.sys
[2009/11/06 11:58:04 | 000,178,975 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/03/02 22:56:01 | 000,000,319 | ---- | C] () -- C:\WINDOWS\game.ini
[2009/02/11 00:19:06 | 000,000,033 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2008/12/16 14:21:34 | 000,000,258 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2008/11/06 09:37:32 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2008/11/06 09:34:00 | 000,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2008/11/06 09:33:02 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2008/10/20 22:57:44 | 000,021,840 | ---- | C] () -- C:\WINDOWS\System32\SIntfNT.dll
[2008/10/20 22:57:44 | 000,017,212 | ---- | C] () -- C:\WINDOWS\System32\SIntf32.dll
[2008/10/20 22:57:44 | 000,012,067 | ---- | C] () -- C:\WINDOWS\System32\SIntf16.dll
[2008/10/12 22:40:04 | 000,000,461 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2008/10/07 14:37:26 | 000,138,808 | ---- | C] () -- C:\WINDOWS\System32\drivers\PnkBstrK.sys
[2008/10/07 12:41:40 | 000,000,082 | ---- | C] () -- C:\WINDOWS\wb.ini
[2008/10/07 10:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 10:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/09/17 09:55:00 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2008/09/17 09:55:00 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2008/09/17 09:55:00 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2008/09/17 09:55:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2008/09/17 09:55:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2008/06/05 08:58:26 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2004/08/04 05:00:00 | 000,027,440 | ---- | C] () -- C:\WINDOWS\System32\drivers\secdrv.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 498 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
@Alternate Data Stream - 189 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:A8ADE5D8
< End of report >


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 05 June 2010 - 01:45 AM

Hi again,

Good news, I see why your internet isn't working smile.gif

Please see if the following steps fix the issue, otherwise we'll do it manually.

COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Avron

Avron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 05 June 2010 - 04:51 PM

ComboFix 10-06-03.01 - josh 06/05/2010 14:34:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2730 [GMT -7:00]
Running from: c:\documents and settings\josh\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\josh\LOCALS~1\Temp\wscsvc32.exe
c:\documents and settings\josh\Application Data\Desktopicon
c:\documents and settings\josh\Application Data\Desktopicon\config.ini
c:\documents and settings\josh\Application Data\Microsoft\Internet Explorer\Quick Launch\Data Protection.lnk
c:\documents and settings\josh\Local Settings\Application Data\717340558.dll
c:\documents and settings\josh\Local Settings\Application Data\asam.exe
c:\documents and settings\josh\Local Settings\Application Data\pfgaianqr
c:\documents and settings\josh\Local Settings\Application Data\pfgaianqr\srovxjmtssd.exe
c:\documents and settings\josh\Local Settings\Application Data\syssvc.exe
C:\Install.exe
c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\Data Protection
c:\program files\Data Protection\datext.dll
c:\windows\PRAGMAdnfvxyrbcx
c:\windows\PRAGMAdnfvxyrbcx\PRAGMAcfg.ini
c:\windows\PRAGMAdnfvxyrbcx\PRAGMAsrcr.dat

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-01 09:17 . 2010-06-01 09:17 -------- d-----w- c:\program files\Common Files\Java
2010-06-01 09:17 . 2010-06-01 09:17 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-31 10:08 . 2010-05-31 10:08 388096 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-31 10:08 . 2010-05-31 10:08 -------- d-----w- c:\program files\Trend Micro
2010-05-31 09:49 . 2010-05-31 09:49 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 09:49 . 2010-05-31 09:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-31 09:49 . 2010-05-31 09:49 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-31 06:56 . 2010-05-31 06:56 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-31 06:55 . 2010-05-31 06:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Ventrilo
2010-05-31 06:52 . 2010-05-31 06:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-30 23:02 . 2010-05-30 23:02 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-27 04:36 . 2010-05-30 22:56 -------- d-----w- c:\windows\system32\NtmsData
2010-05-25 06:34 . 2010-05-25 06:34 48388 ----a-w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment\Battle.net\Cache\Download\Scan.dll
2010-05-23 06:41 . 2010-05-23 06:41 -------- d-----w- c:\program files\NortonInstaller
2010-05-23 00:36 . 2010-05-23 00:36 54016 ----a-w- c:\windows\system32\drivers\ckogp.sys
2010-05-22 18:03 . 2010-05-22 18:03 -------- d-----w- c:\documents and settings\Liz\Application Data\Malwarebytes
2010-05-22 17:44 . 2010-05-22 17:44 54016 ----a-w- c:\windows\system32\drivers\iyfn.sys
2010-05-22 06:27 . 2010-05-22 06:27 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-05-19 20:07 . 2010-05-19 20:17 -------- d-----w- c:\documents and settings\josh\Application Data\BoneTown
2010-05-19 20:01 . 2010-05-19 20:01 3774 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\controlPanelIcon.exe
2010-05-19 20:01 . 2010-05-19 20:01 3774 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\BoneTown.exe
2010-05-19 20:01 . 2010-05-19 20:01 10134 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{5E7C721D-B008-4269-A1C4-2CE7E9757983}\SystemFolder_msiexec.exe
2010-05-19 20:00 . 2010-05-19 20:04 -------- d-----w- c:\program files\BoneTown
2010-05-17 20:48 . 2010-05-17 20:55 -------- d-----w- c:\program files\StepMania
2010-05-10 04:05 . 2010-05-10 05:41 -------- d-----w- C:\World of Warcraft
2010-05-07 05:27 . 2010-05-07 05:28 -------- d-----w- c:\program files\StarCraft II Beta 1
2010-05-07 05:20 . 2010-05-25 06:33 -------- d-----w- c:\program files\StarCraft II Beta
2010-05-07 03:42 . 2010-05-07 03:42 -------- d-----w- c:\program files\Starcraft 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 21:33 . 2008-10-07 05:55 16608 ----a-w- c:\windows\gdrv.sys
2010-06-04 04:57 . 2008-10-07 09:44 -------- d-----w- c:\program files\World of Warcraft
2010-06-03 19:35 . 2004-08-04 12:00 62592 ----a-w- c:\windows\system32\drivers\cdrom.sys
2010-06-01 09:15 . 2008-11-04 23:27 -------- d-----w- c:\program files\Java
2010-05-31 07:16 . 2009-09-16 01:40 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 06:52 . 2009-06-02 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-30 23:06 . 2008-10-22 04:44 -------- d-----w- c:\program files\Steam
2010-05-30 23:05 . 2010-04-07 17:31 7 ----a-w- c:\windows\treeskp.sys
2010-05-30 23:05 . 2008-10-23 05:44 7 ----a-w- c:\windows\sbacknt.bin
2010-05-25 06:34 . 2009-08-21 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-05-25 06:07 . 2009-02-16 10:23 -------- d-----w- c:\documents and settings\josh\Application Data\uTorrent
2010-05-24 23:22 . 2010-03-19 06:51 1 ----a-w- c:\documents and settings\josh\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-23 05:42 . 2008-10-09 07:41 25736 ----a-w- c:\documents and settings\Liz\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-22 06:47 . 2008-10-08 16:39 -------- d-----w- c:\program files\Yahoo!
2010-05-22 06:46 . 2010-02-08 08:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-05-22 06:46 . 2010-02-10 22:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-19 15:01 . 2008-10-09 06:06 -------- d-----w- c:\documents and settings\josh\Application Data\skypePM
2010-05-19 13:11 . 2008-10-09 06:04 -------- d-----w- c:\documents and settings\josh\Application Data\Skype
2010-05-10 22:23 . 2008-10-11 06:08 -------- d-----w- c:\documents and settings\josh\Application Data\U3
2010-05-10 05:41 . 2008-10-07 06:38 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-05-01 20:17 . 2010-05-01 20:17 -------- d-----w- c:\program files\XBox 360 Controller for Windows Software
2010-05-01 08:13 . 2010-05-01 08:13 52224 ----a-w- c:\documents and settings\josh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-01 08:13 . 2010-05-01 08:13 117760 ----a-w- c:\documents and settings\josh\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-01 08:13 . 2010-05-01 08:13 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-01 08:13 . 2010-05-01 08:13 65024 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2010-05-01 08:13 . 2010-05-01 08:13 5120 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe
2010-05-01 08:13 . 2010-05-01 08:13 18944 ----a-r- c:\documents and settings\josh\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2010-05-01 08:13 . 2010-05-01 08:12 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-01 08:12 . 2010-05-01 08:12 -------- d-----w- c:\documents and settings\josh\Application Data\SUPERAntiSpyware.com
2010-05-01 08:12 . 2008-10-08 02:02 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-23 07:48 . 2008-10-07 05:32 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-23 07:39 . 2009-08-08 02:33 -------- d-----w- c:\documents and settings\josh\Application Data\JukeFly
2010-04-21 08:08 . 2010-04-12 04:09 -------- d-----w- c:\program files\Spyware Doctor
2010-04-21 07:40 . 2009-12-25 11:10 -------- d-----w- c:\program files\Google
2010-04-21 07:38 . 2009-05-05 17:02 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-04-18 21:23 . 2009-05-13 01:52 -------- d-----w- c:\documents and settings\Liz\Application Data\LimeWire
2010-04-17 18:33 . 2010-04-17 18:33 7390064 ----a-w- c:\documents and settings\Liz\Application Data\Blitware\PCMedkit\updates\2.4.0.0\pcmedkit_setup.exe
2010-04-16 00:19 . 2010-04-14 10:50 7387544 ----a-w- c:\documents and settings\Liz\Application Data\Blitware\PCMedkit\updates\2.3.0.9\pcmedkit_setup.exe
2010-04-15 15:18 . 2010-04-15 15:18 -------- d-----w- c:\documents and settings\josh\Application Data\Malwarebytes
2010-04-15 15:18 . 2010-04-15 15:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-15 15:18 . 2010-04-15 15:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-14 10:55 . 2010-04-14 10:55 61440 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2fc53ac5-n\decora-sse.dll
2010-04-14 10:55 . 2010-04-14 10:55 503808 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c54c24a-n\msvcp71.dll
2010-04-14 10:55 . 2010-04-14 10:55 499712 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c54c24a-n\jmc.dll
2010-04-14 10:55 . 2010-04-14 10:55 348160 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-5c54c24a-n\msvcr71.dll
2010-04-14 10:55 . 2010-04-14 10:55 12800 ----a-w- c:\documents and settings\Liz\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-2fc53ac5-n\decora-d3d.dll
2010-04-13 22:38 . 2010-04-13 22:38 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-13 05:49 . 2010-04-13 05:49 -------- d-----w- c:\program files\Vent
2010-04-13 05:39 . 2008-12-16 21:21 -------- d-----w- c:\program files\Ventrilo
2010-04-12 04:36 . 2010-04-11 00:24 132804 ----a-w- c:\documents and settings\josh\Local Settings\Application Data\prvlcl.dat
2010-04-12 04:15 . 2010-04-12 04:09 -------- d-----w- c:\program files\Common Files\PC Tools
2010-04-12 04:09 . 2010-04-12 04:09 -------- d-----w- c:\documents and settings\josh\Application Data\PC Tools
2010-04-12 04:09 . 2010-04-12 04:09 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-11 22:53 . 2010-04-11 22:53 -------- d-----w- c:\documents and settings\Liz\Application Data\Blitware
2010-04-10 21:40 . 2010-04-10 21:40 -------- d-----w- c:\program files\AVG
2010-04-10 21:21 . 2008-10-07 05:55 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-07 17:31 . 2008-10-23 05:44 152904 ----a-w- c:\windows\system32\vghd.scr
2010-04-07 01:13 . 2008-10-07 05:59 5912096 ----a-w- c:\windows\system32\drivers\RtkHDAud.sys
2010-04-07 01:04 . 2010-04-15 20:52 358944 ----a-w- c:\windows\vncutil.exe
2010-04-07 01:04 . 2008-10-07 05:59 84512 ----a-w- c:\windows\SOUNDMAN.EXE
2010-04-07 01:04 . 2008-10-07 05:59 1833504 ----a-w- c:\windows\SkyTel.exe
2010-04-07 01:04 . 2010-04-15 20:52 51232 ----a-w- c:\windows\system32\RtkCoInstXP.dll
2010-04-07 01:04 . 2008-10-07 05:59 1489440 ----a-w- c:\windows\RtlUpd.exe
2010-04-07 01:04 . 2008-10-07 05:59 9721888 ----a-w- c:\windows\RTLCPL.EXE
2010-04-07 01:04 . 2010-04-15 20:52 129568 ----a-w- c:\windows\RtkAudioService.exe
2010-04-07 01:04 . 2008-10-07 05:59 19523104 ----a-w- c:\windows\RTHDCPL.EXE
2010-04-07 01:04 . 2008-10-07 05:59 2177568 ----a-w- c:\windows\MicCal.exe
2010-04-07 01:04 . 2008-10-07 05:59 2815520 ----a-w- c:\windows\ALCWZRD.EXE
2010-04-07 01:03 . 2008-10-07 05:59 64032 ----a-w- c:\windows\ALCMTR.EXE
2010-04-06 22:10 . 2010-01-28 01:38 -------- d-----w- c:\documents and settings\josh\Application Data\vlc
2010-04-05 16:53 . 2008-10-07 05:50 25736 ----a-w- c:\documents and settings\josh\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-01 16:06 . 2009-02-13 21:31 23877344 ----a-w- c:\documents and settings\josh\Application Data\vghd\Data\update\updater.exe
2010-03-30 07:46 . 2010-04-15 15:18 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 07:45 . 2010-04-15 15:18 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-22 21:22 . 2008-10-07 05:59 1247776 ----a-w- c:\windows\RtlExUpd.dll
2010-03-22 02:04 . 2010-03-22 02:04 503808 ----a-w- c:\documents and settings\josh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47bda27b-n\msvcp71.dll
2010-03-22 02:04 . 2010-03-22 02:04 499712 ----a-w- c:\documents and settings\josh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47bda27b-n\jmc.dll
2010-03-22 02:04 . 2010-03-22 02:04 348160 ----a-w- c:\documents and settings\josh\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-47bda27b-n\msvcr71.dll
2010-03-22 02:04 . 2010-03-22 02:04 61440 ----a-w- c:\documents and settings\josh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-634513f3-n\decora-sse.dll
2010-03-22 02:04 . 2010-03-22 02:04 12800 ----a-w- c:\documents and settings\josh\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-634513f3-n\decora-d3d.dll
2010-03-12 08:47 . 2008-10-07 09:18 94507 ----a-w- c:\windows\War3Unin.dat
2010-03-10 08:02 . 2004-08-04 12:00 417792 ----a-w- c:\windows\system32\vbscript.dll
2009-03-04 11:35 . 2009-03-04 11:35 541 ----a-w- c:\program files\Shortcut to EVGA Precision.lnk
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2010-05-08 1238352]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-27 3883856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2010-04-07 19523104]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-31 5937984]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\documents and settings\josh\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-12-15 384000]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 06:34 24576 ----a-w- c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=2 (0x2)
"ITMRTSVC"=2 (0x2)
"idsvc"=3 (0x3)
"getPlus® Helper"=3 (0x3)
"DAUpdaterSvc"=3 (0x3)
"Browser Defender Update Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\GIGABYTE\\EnergySaver\\run.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Steam\\steamapps\\hellmarine198\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Steam\\steamapps\\hell_marine\\insurgency\\hl2.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\Program Files\\Steam\\steamapps\\hell_marine\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\hell_marine\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\hell_marine\\half-life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\hell_marine\\day of defeat source\\hl2.exe"=
"\\\\ZOMBIE\\D\\Games\\Bethesda Softworks\\Morrowind\\Bamf.exe"=
"c:\\Program Files\\Infogrames Interactive\\Majesty - Gold Edition\\MajX\\MajX.exe"=
"c:\\WINDOWS\\system32\\dplaysvr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\steamapps\\hellmarine198\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\JukeFly\\JukeFly.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Riot Games\\League of Legends\\air\\LolClient.exe"=
"c:\\Riot Games\\League of Legends\\game\\League of Legends.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daorigins.exe"=
"c:\\Program Files\\Dragon Age\\DAOriginsLauncher.exe"=
"c:\\Program Files\\Dragon Age\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\SP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\bioshock 2\\MP\\Builds\\Binaries\\Bioshock2Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\spellforce 2 gold edition\\spellforce2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\r.u.s.e. beta\\Ruse.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\call of duty modern warfare 2\\iw4mp.exe"=
"c:\\Program Files\\Vent\\Ventrilo.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\Torchlight.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\torchlight\\TorchED\\Editor.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57923:TCP"= 57923:TCP:Pando Media Booster
"57923:UDP"= 57923:UDP:Pando Media Booster
"8370:TCP"= 8370:TCP:League of Legends Launcher
"8370:UDP"= 8370:UDP:League of Legends Launcher
"8371:TCP"= 8371:TCP:League of Legends Launcher
"8371:UDP"= 8371:UDP:League of Legends Launcher
"8372:TCP"= 8372:TCP:League of Legends Launcher
"8372:UDP"= 8372:UDP:League of Legends Launcher
"6941:TCP"= 6941:TCP:League of Legends Launcher
"6941:UDP"= 6941:UDP:League of Legends Launcher
"6979:TCP"= 6979:TCP:League of Legends Launcher
"6979:UDP"= 6979:UDP:League of Legends Launcher
"6994:TCP"= 6994:TCP:League of Legends Launcher
"6994:UDP"= 6994:UDP:League of Legends Launcher
"6935:TCP"= 6935:TCP:League of Legends Launcher
"6935:UDP"= 6935:UDP:League of Legends Launcher

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/11/2010 9:09 PM 207280]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [4/27/2010 5:30 PM 61440]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [10/6/2008 10:55 PM 80392]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 3:06 AM 21632]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/7/2008 2:45 PM 717296]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/12/2009 7:01 PM 234888]
S2 gupdate;Google Update Service (gupdate);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/15/2010 1:52 PM 1691480]
S3 GarenaPEngine;GarenaPEngine;\??\c:\docume~1\josh\LOCALS~1\Temp\WIZ7C.tmp --> c:\docume~1\josh\LOCALS~1\Temp\WIZ7C.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [11/17/2008 2:32 PM 185584]
S3 RTCore32;RTCore32;\??\c:\program files\EVGA Precision\RTCore32.sys --> c:\program files\EVGA Precision\RTCore32.sys [?]
S4 Browser Defender Update Service;Browser Defender Update Service;"c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe" --> c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [?]
S4 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\Dragon Age\bin_ship\daupdatersvc.service.exe [11/11/2009 3:01 PM 25832]
.
Contents of the 'Scheduled Tasks' folder

2010-05-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2010-04-11 c:\windows\Tasks\CAAntiSpywareScan_Daily as josh at 1 32 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-11-17 21:34]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-682003330-1003Core.job
- c:\documents and settings\josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-21 07:51]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-879983540-682003330-1003UA.job
- c:\documents and settings\josh\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-21 07:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://```````````````````````````````````/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\documents and settings\josh\Application Data\Mozilla\Firefox\Profiles\xa9byajt.default\
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\josh\Application Data\Move Networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\josh\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\josh\Application Data\Mozilla\plugins\npoctoshape.dll
FF - plugin: c:\documents and settings\josh\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-12bbe590-c890-11d9-9669-0800200c9a66_is1 - c:\program files\Turbine\The Lord of the Rings Online\Uninstall.exe
AddRemove-ESForces - c:\program files\Steam\steamapps\hellmarine198\half-life\esf_openbeta\uninstall.exe
AddRemove-Warmonger - c:\program files\Netdevil\Warmonger\uninstall.exe
AddRemove-NokiaFREE Unlock Codes Calculator - c:\program files\NokiaFREE Unlock Codes Calculator\uninst.exe
AddRemove-NSS - c:\program files\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\InstStub.exe
AddRemove-Precision - c:\program files\EVGA Precision\uninstall.exe
AddRemove-Urban Terror_is1 - c:\program files\UrbanTerror\unins000.exe
AddRemove-Yahoo! Companion - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE
AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\GarenaPEngine]
"ImagePath"="\??\c:\docume~1\josh\LOCALS~1\Temp\WIZ7C.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet010\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-879983540-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,15"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{208D2C60-3AEA-1069-A2D7-08002B30309D}"="c:\\WINDOWS\\system32\\SHELL32.dll,17"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,22"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,23"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="c:\\WINDOWS\\system32\\shell32.dll,24"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="c:\\WINDOWS\\system32\\shell32.dll,-175"
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-137"
"{2227A280-3AEA-1069-A2DE-08002B30309D}"="c:\\WINDOWS\\System32\\shell32.dll,-138"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="c:\\WINDOWS\\system32\\shell32.dll,38"
"AudioCD"="c:\\WINDOWS\\System32\\shell32.dll,40"
"{FBF23B42-E3F0-101B-8488-00AA003E56F8}"="c:\\WINDOWS\\system32\\shell32.dll,220"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="c:\\WINDOWS\\system32\\mydocs.dll,0"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="c:\\WINDOWS\\system32\\main.cpl,10"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="c:\\WINDOWS\\system32\\wiashext.dll,0"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="c:\\WINDOWS\\system32\\mstask.dll,-100"
"{88C6C381-2E85-11D0-94DE-444553540000}"="c:\\WINDOWS\\System32\\occache.dll,0"
"{BDEADF00-C265-11d0-BCED-00A0C90AB50F}"="c:\\Program Files\\COMMON~1\\MICROS~1\\WEBFOL~1\\MSONSEXT.DLL,0"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="c:\\WINDOWS\\System32\\shdocvw.dll,-20785"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="c:\\WINDOWS\\System32\\webcheck.dll,0"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="c:\\WINDOWS\\system32\\syncui.dll,0"

[HKEY_USERS\S-1-5-21-854245398-879983540-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:2c,40,bb,1a,bf,f4,da,26,53,2a,6d,4f,7b,36,00,8f,b6,ba,e4,b7,23,
7c,ee,9b,fb,30,42,78,5b,bc,3b,8f,38,4d,fa,4f,bc,56,83,39,ed,f6,26,80,43,85,\
"rkeysecu"=hex:6d,fa,28,11,2a,d4,a8,a4,79,0f,ba,61,a7,98,28,3c
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\Stardock\Object Desktop\ThemeManager\fastload.dll
.
Completion time: 2010-06-05 14:50:37
ComboFix-quarantined-files.txt 2010-06-05 21:50

Pre-Run: 42,033,324,032 bytes free
Post-Run: 43,235,086,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
c:\wubildr.mbr="Ubuntu"

Current=10 Default=10 Failed=9 LastKnownGood=11 Sets=1,2,3,4,5,6,7,8,9,10,11
- - End Of File - - FD4166AD52F82DEE6205E46A9344041B


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 06 June 2010 - 01:39 AM

Hello again,

You had two nasty rootkits there. Please consider the following information first.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


CF-SCRIPT
-------------
We need to execute a CF-script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
CODE
RegLock::
[HKEY_USERS\S-1-5-21-854245398-879983540-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]

Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


How is your internet now? As far as I can see it should be running now (combofix was able to download the Recovery Console).

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 10 June 2010 - 06:19 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 Avron

Avron
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:01:59 AM

Posted 11 June 2010 - 05:10 AM

Was unable to get on the internet for a bit, sorry. Will have a log posted shortly.

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 11 June 2010 - 05:20 AM

Okay, I will wait for that smile.gif

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 15 June 2010 - 05:56 AM

Hello, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,243 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:59 AM

Posted 25 June 2010 - 09:01 AM

Due to lack of feedback, this topic is now closed.

If you are the original topic starter and you need this topic reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users