Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirected, random popups


  • This topic is locked This topic is locked
23 replies to this topic

#1 ohazard

ohazard

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 22 July 2010 - 08:06 AM

About two weeks ago, I was infected with some sort of malware. An early scan using some sort of anti-spyware software said it was TDSS rootkit so I used an AntiTDSS remover (I don't remember which one) to get rid of it. I still had problems with my search results and several anti-malware sites were blocked as well. Eventually, I was able to use a combination of Avira and Malwarebytes Anti-Malware (with updates I downloaded with my wifes computer since mine was blocked) to (apparently) get rid of the malware. During that process, I had unplugged a zip drive and a thumb drive.

Later in the week, I plugged the thumb drive and later still the zip drive. This past weekend, I got a warning from Avira that there was evidence of a virus again. I noticed once again that my search results were being redirected so I did another update of MBAM from my wife's computer (which wasn't infected at the time) and ran a scan. This time, however, MBAM did not detect anything amiss. Subsequently, I've tried numerous other cleaners including Spybot Search & Destroy, SuperAntiSpyware (which found some adware), F-Secure scan (which found several Trojans) and possibly some others.

In the interim, it appears that my wife's laptop has also become infected with something that is redirecting her search results and MBAM and Avira haven't detected it either. I have not tried the other anti-malware packages on it yet pending fixing my desktop.

I have run RKUnhookerLE.EXE and saved a report as well but I can't see anything amiss with it. It did have a message about there being possible problems but I read that that is a common message for some benign objects as well.

I tried to run gmer several times but always, it either freezes up or restarts my computer before it is finished and creates a log. I have noticed a process, lsass.exe, that seems to be going crazy whenever I run gmer in my TaskManager. I don't know if it is related to the problem or if there is some other way to fix this problem. At any rate, I can't post a gmer log until I can get it to run to completion.

I am attaching the Attach.txt from dds.scr and Report.txt from RKUnhooker.

Here is my DDS.txt output:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 3:00:43.29 on Thu 07/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2384 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\LTMSG.exe
svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [LTMSG] LTMSG.exe 7
mRun: [<NO NAME>]
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
mPolicies-system: EnableLUA = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: cmphotocenter.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} - hxxp://www112.coolsavings.com/download/cscmv5X.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111145944343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147826590435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - hxxp://a19.g.akamai.net/7/19/7125/1450/ftp.coupons.com/r3302/cpbrkpie.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\winnt_x86-msvc\components\libchm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\owner\local settings\application data\{3DABE8F6-36A7-4769-81C2-0250D4118676}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [2010-3-2 22016]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-9 11608]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-9 60936]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\tizerbruteforceex.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\drivers\dnsfilt.sys --> c:\windows\system32\drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\drivers\fwfilt.sys --> c:\windows\system32\drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2003-11-23 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\drivers\httpfilt.sys --> c:\windows\system32\drivers\HTTPFILT.SYS [?]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\owner\locals~1\temp\mdxgthkn.sys --> c:\docume~1\owner\locals~1\temp\mdxgthkn.sys [?]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2009-11-23 0]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-7-9 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\drivers\symfilt.sys --> c:\windows\system32\drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-21 16:36:06 0 d-----w- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2010-07-21 16:36:06 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-21 16:35:40 0 d-----w- c:\program files\SUPERAntiSpyware
2010-07-21 03:50:27 4194347 ----a-w- c:\windows\pfirewall.log.old
2010-07-19 11:59:13 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-19 01:49:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 01:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-13 18:15:00 0 d-----w- c:\docume~1\owner\applic~1\Chaos Software
2010-07-13 18:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Chaos Software
2010-07-12 19:06:07 0 d-----w- c:\program files\CCleaner
2010-07-12 11:22:20 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-12 11:22:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 11:22:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 11:22:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 23:00:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-11 22:53:14 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-11 22:53:13 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-11 22:53:12 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-11 22:53:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-11 22:53:11 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-11 22:52:36 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-11 22:52:35 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-11 22:52:35 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-11 22:52:32 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-11 22:52:24 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-11 22:52:22 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-11 22:51:30 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-11 22:51:24 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-11 22:51:24 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-11 22:51:15 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-11 22:51:09 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-07-11 22:51:09 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-07-11 22:51:05 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-07-11 22:51:04 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2010-07-11 22:51:02 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-07-11 22:51:02 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2010-07-11 22:49:57 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-07-11 22:48:59 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2010-07-11 22:47:57 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-07-11 22:46:59 83748 -c--a-w- c:\windows\system32\dllcache\prcp.nls
2010-07-11 22:45:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-07-11 22:44:58 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-11 22:44:55 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-11 22:44:46 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-11 22:44:44 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-11 22:44:43 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-11 22:44:43 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-07-11 22:44:20 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-11 22:44:18 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-11 22:44:10 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-11 22:42:45 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-11 22:41:58 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-11 22:40:59 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-07-11 22:39:59 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2010-07-11 22:38:58 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-07-11 22:37:59 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-07-11 22:36:59 32256 -c--a-w- c:\windows\system32\dllcache\brmfrsmg.exe
2010-07-11 22:35:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-07-11 22:34:58 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 20:30:07 42 ----a-w- c:\windows\system32\AK083E209605E394C.lie
2010-07-11 02:38:05 0 d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-07-11 02:37:51 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-07-09 23:26:41 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-09 23:26:34 0 d-----w- c:\program files\VS Revo Group
2010-07-09 21:33:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-09 21:33:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-07-09 21:33:15 0 d-----w- c:\program files\Avira
2010-07-09 05:35:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-09 05:35:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 16:41:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-08 15:39:51 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:39:49 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 15:28:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-08 15:25:25 0 d-----w- c:\program files\common files\iS3
2010-07-08 15:25:24 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-08 11:54:33 2716 ----a-w- c:\windows\eyiwitatuxo.dll.virus
2010-07-08 11:51:45 2716 ----a-w- c:\windows\axujehokonipuc.dll.virus
2010-07-08 11:39:29 2716 ----a-w- c:\windows\alalocup.dll.virus
2010-07-08 11:19:47 120 ----a-w- c:\windows\Fxepebufebosuyeg.dat
2010-07-08 11:19:47 0 ----a-w- c:\windows\Rbimefozujecazuw.bin
2010-07-02 13:39:09 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-07-02 13:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2010-07-01 14:32:00 0 d-----w- c:\docume~1\owner\applic~1\Microsoft Corporation
2010-06-30 13:59:15 0 d-----w- c:\program files\Microsoft SQL Server
2010-06-30 13:07:45 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-06-30 13:07:43 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-30 12:57:48 0 d-----w- c:\program files\Microsoft Help Viewer
2010-06-30 12:57:48 0 d-----w- c:\program files\common files\Merge Modules
2010-06-30 12:57:47 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-06-30 12:48:17 165 ----a-w- c:\windows\system32\spupdsvc.inf
2010-06-30 00:32:11 0 d-----w- c:\docume~1\owner\applic~1\OpenOffice.org
2010-06-24 11:03:11 16482 ----a-w- c:\documents and settings\owner\.recently-used.xbel

==================== Find3M ====================

2010-07-20 14:00:03 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 13:24:03 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-30 23:50:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-09-02 03:08:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 3:01:22.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 28 July 2010 - 01:29 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:

1. Rerun DDS and post the DDS.txt and Attach.txt Logs in your next post/reply.

2. Try booting into Safe Mode (You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.) and running GMER from there and see if you can get a log. If you can, post it in your next post/reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 28 July 2010 - 04:33 PM

Thanks for responding. For some reason, even though I have notification turned on, I didn't get a notice when you replied or I might have gotten back on here sooner.

Anyway, I'm attaching the DDS logs as requested. Also, I managed to run GMER a couple of days ago to completion and am also attaching a log from that. I did have to do a hard shutdown on my computer after it finished because the lsass.exe process was maxing out and I couldn't get it to even restart normally.

Since I last posted, my wife's laptop hard drive died so we had to replace it and install a new OS so it should not be a concern at this point.

The problems I'm having with my desktop are still happening:
- When I do a search on Yahoo, results are still redirected
- I've started using the https addon for Firefox and now search results in Google are working correctly
- I can not update MBAM, I get an error message if I try
- I can not update Windows Defender, I get an error message if I try there as well

I did not run GMER in Safe Mode when I got the log I am attaching. I can do that if you want me to but the last time I ran GMER it took ~7 hours so I'm hesitant to repeat it unless absolutely necessary.

Attached Files



#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 28 July 2010 - 09:01 PM

Thanks for the logs. smile.gif

From now, please do not attach any logs I ask for, just post them normally. Only attach them if requested to do so.

Thanks. smile.gif


QUOTE
I did not run GMER in Safe Mode when I got the log I am attaching. I can do that if you want me to but the last time I ran GMER it took ~7 hours so I'm hesitant to repeat it unless absolutely necessary.


Since you managed to a log from GMER, there's no reason for you to run GMER again in Safe Mode.



Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the version 1.5 or 1.6, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident


Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.



Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 28 July 2010 - 10:23 PM

Sorry about the attachments in the last post. It seemed like a good way to do things.

Here is my combofix.txt output:

ComboFix 10-07-27.05 - Owner 07/28/2010 22:34:21.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2484 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\My Documents\DPE.DUS
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-25 12:28 . 2010-07-27 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 16:36 . 2010-07-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-19 11:59 . 2010-07-19 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-07-19 01:49 . 2010-07-29 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 18:15 . 2010-07-13 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Chaos Software
2010-07-13 18:15 . 2010-07-13 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Chaos Software
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-11 02:37 . 2010-07-11 02:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-08 15:28 . 2010-07-08 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-08 15:25 . 2010-07-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-02 13:37 . 2010-07-02 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-07-01 14:32 . 2010-07-01 14:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Microsoft Corporation
2010-06-30 00:32 . 2010-06-30 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 15:47 . 2005-03-29 15:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 15:46 . 2010-07-28 15:46 -------- d-----w- c:\program files\Sun
2010-07-28 15:44 . 2010-05-12 00:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 15:44 . 2010-07-28 15:41 -------- d-----w- c:\program files\Java
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN102.tmp
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN101.tmp
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN100.tmp
2010-07-27 11:54 . 2010-07-19 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 11:46 . 2010-07-23 16:52 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 03:56 . 2009-12-29 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-26 02:12 . 2006-07-10 01:35 -------- d-----w- c:\program files\Jewel
2010-07-25 12:34 . 2005-03-20 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-25 12:29 . 2010-07-25 12:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 12:28 . 2010-07-25 12:28 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-23 09:41 . 2006-06-11 11:20 -------- d-----w- c:\program files\iTunes
2010-07-23 09:40 . 2005-12-15 22:44 -------- d-----w- c:\program files\iPod
2010-07-23 09:40 . 2007-07-15 18:59 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 09:34 . 2010-07-23 09:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-21 09:32 . 2008-11-05 11:35 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-07-21 09:29 . 2006-03-12 12:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Webshots
2010-07-20 17:14 . 2009-11-14 00:28 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-19 18:01 . 2005-12-22 03:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2010-07-15 09:48 . 2010-06-30 00:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-12 19:26 . 2009-12-15 00:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-07-12 19:06 . 2010-07-12 19:06 -------- d-----w- c:\program files\CCleaner
2010-07-12 17:46 . 2010-07-09 05:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 17:43 . 2009-08-31 19:22 -------- d-----w- c:\program files\KDE
2010-07-12 11:22 . 2010-07-08 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 22:18 . 2007-08-05 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-07-11 20:52 . 2007-05-23 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-11 20:52 . 2005-03-21 00:25 -------- d-----w- c:\program files\Yahoo!
2010-07-11 02:38 . 2010-07-11 02:27 -------- d-----w- c:\program files\Windows Defender
2010-07-11 02:38 . 2005-12-15 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-10 13:01 . 2007-03-15 20:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-09 23:26 . 2010-07-09 23:26 -------- d-----w- c:\program files\VS Revo Group
2010-07-09 23:25 . 2009-11-14 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\program files\Avira
2010-07-09 13:24 . 2005-03-12 21:47 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-09 05:35 . 2010-07-09 05:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-08 22:36 . 2010-07-08 11:19 120 ----a-w- c:\windows\Fxepebufebosuyeg.dat
2010-07-08 15:42 . 2010-07-08 15:39 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:40 . 2009-08-18 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-08 15:39 . 2010-07-08 15:39 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 15:25 . 2010-07-08 15:25 -------- d-----w- c:\program files\Common Files\iS3
2010-07-08 11:34 . 2010-02-14 11:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-08 11:33 . 2010-07-08 11:33 436236 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1451323331-2558171538-937877858-1004-0.dat
2010-07-08 11:33 . 2010-07-08 11:33 312878 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-07-08 11:19 . 2010-07-08 11:19 0 ----a-w- c:\windows\Rbimefozujecazuw.bin
2010-06-30 23:50 . 2010-03-12 22:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-30 14:01 . 2010-06-30 13:57 188128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-06-30 14:01 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-06-30 13:59 . 2010-06-30 13:59 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-30 13:04 . 2010-06-30 13:04 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2010-06-30 12:59 . 2010-06-30 11:28 -------- d-----w- c:\program files\Microsoft.NET
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft SDKs
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-06-30 12:57 . 2009-05-29 02:08 -------- d-----w- c:\program files\MSBuild
2010-06-27 22:47 . 2010-05-09 17:39 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-19 17:27 . 2010-06-19 17:27 -------- d-----w- c:\program files\Bonjour
2010-06-02 14:54 . 2009-01-03 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-05-31 03:18 . 2009-11-24 02:53 -------- d-----w- c:\program files\DOSBox-0.73
2010-05-23 16:54 . 2010-05-23 16:54 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-sse.dll
2010-05-23 16:54 . 2010-05-23 16:54 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcp71.dll
2010-05-23 16:54 . 2010-05-23 16:54 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\jmc.dll
2010-05-23 16:54 . 2010-05-23 16:54 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcr71.dll
2010-05-23 16:54 . 2010-05-23 16:54 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-d3d.dll
2010-05-21 18:14 . 2010-07-11 23:00 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-21 774144]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2008-05-16 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Syslog Watcher 2\\SyslogWatcherPers.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 10:15 PM 22016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/9/2010 5:33 PM 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\TizerBruteForceEx.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\Drivers\DNSFILT.SYS --> c:\windows\system32\Drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\Drivers\FWFILT.SYS --> c:\windows\system32\Drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 5:07 PM 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\Drivers\HTTPFILT.SYS --> c:\windows\system32\Drivers\HTTPFILT.SYS [?]
S3 mdxgthkn;mdxgthkn;\??\c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys --> c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/9/2010 7:26 PM 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\Drivers\SYMFILT.SYS --> c:\windows\system32\Drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-01-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]

2010-07-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: cmphotocenter.com\www
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010&query=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\Owner\Local Settings\Application Data\{3DABE8F6-36A7-4769-81C2-0250D4118676}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
Notify-!SASWinLogon - (no file)
SafeBoot-klmdb.sys
AddRemove-SimAntv1.0 - d:\oldgames\SimAnt\DeIsL1.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 22:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\LTMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-07-28 23:03:59 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 03:03

Pre-Run: 54,761,431,040 bytes free
Post-Run: 54,612,115,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - FCE9CF6FA50F08231F170200739DAA39


I tried updating Windows Defender since that was one thing that give me an error and it still gives me the error. Also, I tested a Yahoo search and the result is still redirected--just so you know it appears something is still hiding in there.

Should I turn teatimer.exe back on?

I'm getting a message saying automatic updates are turned off but when I go to the control panel, it says they're on.

#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 29 July 2010 - 01:46 PM

QUOTE
I tried updating Windows Defender since that was one thing that give me an error and it still gives me the error.


What does the error say?


QUOTE
Should I turn teatimer.exe back on?


Leave it off for now. I'll let you know when you can turn it back on.



Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    KILLALL::

    Driver::

    mdxgthkn

    File::

    c:\windows\Rbimefozujecazuw.bin
    c:\windows\Fxepebufebosuyeg.dat
    c:\windows\eyiwitatuxo.dll.virus
    c:\windows\axujehokonipuc.dll.virus
    c:\windows\alalocup.dll.virus
    c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys

    DDS::

    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
    TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

    FireFox::

    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\
    FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010&query=



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on ohazard's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step # 2: Restore Proxy Settings

In Internet Explorer: Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings".


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 2 has been completed.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 29 July 2010 - 05:07 PM

The error from Windows Defender, when I try to update is:
"The Program can't check for definition updates. Error found: Code 0x80070424."

Here is my latest ComboFix.txt

ComboFix 10-07-29.01 - Owner 07/29/2010 17:14:33.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2482 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\docume~1\Owner\LOCALS~1\Temp\mdxgthkn.sys"
"c:\windows\alalocup.dll.virus"
"c:\windows\axujehokonipuc.dll.virus"
"c:\windows\eyiwitatuxo.dll.virus"
"c:\windows\Fxepebufebosuyeg.dat"
"c:\windows\Rbimefozujecazuw.bin"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\alalocup.dll.virus
c:\windows\axujehokonipuc.dll.virus
c:\windows\eyiwitatuxo.dll.virus
c:\windows\Fxepebufebosuyeg.dat
c:\windows\Rbimefozujecazuw.bin

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDXGTHKN
-------\Service_mdxgthkn


((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-29 )))))))))))))))))))))))))))))))
.

2010-07-28 15:46 . 2010-07-28 15:46 -------- d-----w- c:\program files\Sun
2010-07-28 15:41 . 2010-07-28 15:44 -------- d-----w- c:\program files\Java
2010-07-25 12:29 . 2010-07-25 12:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 12:28 . 2010-07-27 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-23 16:52 . 2010-07-23 16:52 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\AOL
2010-07-23 16:52 . 2010-07-27 11:46 -------- d-----w- c:\program files\Common Files\AOL
2010-07-21 16:36 . 2010-07-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-19 11:59 . 2010-07-19 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-07-19 01:49 . 2010-07-29 00:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-19 01:49 . 2010-07-27 11:54 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-13 18:15 . 2010-07-13 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Chaos Software
2010-07-13 18:15 . 2010-07-13 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Chaos Software
2010-07-12 19:06 . 2010-07-12 19:06 -------- d-----w- c:\program files\CCleaner
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-12 11:22 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-12 11:22 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 23:00 . 2010-05-21 18:14 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-11 22:53 . 2008-04-14 00:12 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-11 22:53 . 2001-08-18 02:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-11 22:53 . 2008-04-14 00:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-11 22:53 . 2001-08-18 02:37 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-11 22:53 . 2001-08-18 02:37 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-11 22:52 . 2001-08-18 02:37 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-11 22:52 . 2001-08-17 16:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-11 22:52 . 2004-08-04 05:29 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-11 22:52 . 2004-08-04 05:29 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-11 22:52 . 2008-04-14 00:12 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-11 22:51 . 2008-04-13 18:36 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-11 22:51 . 2002-08-29 03:59 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-11 22:51 . 2001-08-17 16:12 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-11 22:51 . 2001-08-17 17:28 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-11 22:51 . 2001-08-18 02:36 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-07-11 22:51 . 2001-08-18 02:36 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-07-11 22:51 . 2001-08-17 17:28 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-07-11 22:51 . 2004-08-04 05:29 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2010-07-11 22:51 . 2008-04-13 18:45 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2010-07-11 22:51 . 2001-08-17 16:10 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-07-11 22:49 . 2001-08-17 17:51 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-07-11 22:48 . 2001-08-17 17:57 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2010-07-11 22:47 . 2001-08-17 16:50 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-07-11 22:46 . 2008-04-13 18:41 17664 -c--a-w- c:\windows\system32\dllcache\ppa3.sys
2010-07-11 22:45 . 2001-08-17 16:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-07-11 22:44 . 2008-04-13 18:46 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-11 22:44 . 2001-08-17 17:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-11 22:44 . 2001-08-17 18:00 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-11 22:44 . 2008-04-13 18:54 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-11 22:44 . 2002-08-29 12:00 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-11 22:44 . 2001-08-17 18:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-11 22:44 . 2001-08-17 17:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-11 22:44 . 2001-08-17 17:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-11 22:42 . 2008-04-14 00:09 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-11 22:41 . 2001-08-18 02:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-11 22:40 . 2002-08-29 12:00 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-07-11 22:39 . 2001-08-17 17:28 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2010-07-11 22:38 . 2001-08-18 02:36 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-07-11 22:37 . 2002-08-29 12:00 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-07-11 22:36 . 2001-08-18 02:36 32256 -c--a-w- c:\windows\system32\dllcache\brmfrsmg.exe
2010-07-11 22:35 . 2001-08-17 18:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-07-11 22:34 . 2001-08-17 18:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 02:38 . 2010-07-11 02:38 -------- d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-07-11 02:37 . 2010-07-11 02:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-07-11 02:27 . 2010-07-11 02:38 -------- d-----w- c:\program files\Windows Defender
2010-07-09 23:27 . 2010-07-09 23:27 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\VS Revo Group
2010-07-09 23:26 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-09 23:26 . 2010-07-09 23:26 -------- d-----w- c:\program files\VS Revo Group
2010-07-09 21:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-07-09 21:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-07-09 21:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-09 21:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\program files\Avira
2010-07-09 05:35 . 2010-07-09 05:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-09 05:35 . 2010-07-12 17:46 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 16:41 . 2010-07-12 11:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-08 15:28 . 2010-07-08 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-08 15:25 . 2010-07-08 15:25 -------- d-----w- c:\program files\Common Files\iS3
2010-07-08 15:25 . 2010-07-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-08 14:05 . 2010-07-08 14:05 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Threat Expert
2010-07-08 11:33 . 2010-07-08 11:33 436236 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1451323331-2558171538-937877858-1004-0.dat
2010-07-08 11:33 . 2010-07-08 11:33 312878 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-07-08 11:19 . 2010-07-08 11:19 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{3DABE8F6-36A7-4769-81C2-0250D4118676}
2010-07-02 13:39 . 2010-03-17 12:51 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-07-02 13:39 . 2010-03-17 12:51 82184 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\lmdippr8.dll
2010-07-02 13:37 . 2010-07-02 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications
2010-07-01 14:32 . 2010-07-01 14:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Microsoft Corporation
2010-06-30 13:59 . 2010-06-30 13:59 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-30 12:58 . 2010-06-30 12:58 -------- d-----w- c:\windows\symbols
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft SDKs
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-06-30 12:57 . 2010-06-30 14:01 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-06-30 11:28 . 2010-06-30 12:59 -------- d-----w- c:\program files\Microsoft.NET
2010-06-30 00:32 . 2010-06-30 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 15:47 . 2005-03-29 15:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 15:44 . 2010-05-12 00:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN102.tmp
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN101.tmp
2010-07-28 15:32 . 2010-07-28 15:32 0 ----a-w- c:\windows\system32\REN100.tmp
2010-07-27 03:56 . 2009-12-29 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-26 02:12 . 2006-07-10 01:35 -------- d-----w- c:\program files\Jewel
2010-07-25 12:34 . 2005-03-20 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-25 12:28 . 2010-07-25 12:28 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-23 09:41 . 2006-06-11 11:20 -------- d-----w- c:\program files\iTunes
2010-07-23 09:40 . 2005-12-15 22:44 -------- d-----w- c:\program files\iPod
2010-07-23 09:40 . 2007-07-15 18:59 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 09:34 . 2010-07-23 09:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-21 09:32 . 2008-11-05 11:35 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-07-21 09:29 . 2006-03-12 12:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Webshots
2010-07-20 17:14 . 2009-11-14 00:28 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-19 18:01 . 2005-12-22 03:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2010-07-15 09:48 . 2010-06-30 00:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-12 19:26 . 2009-12-15 00:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-07-12 17:43 . 2009-08-31 19:22 -------- d-----w- c:\program files\KDE
2010-07-11 22:18 . 2007-08-05 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-07-11 20:52 . 2007-05-23 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-11 20:52 . 2005-03-21 00:25 -------- d-----w- c:\program files\Yahoo!
2010-07-11 02:38 . 2005-12-15 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-10 13:01 . 2007-03-15 20:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-09 23:25 . 2009-11-14 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-09 13:24 . 2005-03-12 21:47 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-08 15:42 . 2010-07-08 15:39 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:40 . 2009-08-18 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-08 15:39 . 2010-07-08 15:39 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 11:34 . 2010-02-14 11:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-06-30 23:50 . 2010-03-12 22:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-30 14:01 . 2010-06-30 13:57 188128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-06-30 13:04 . 2010-06-30 13:04 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2010-06-30 12:57 . 2009-05-29 02:08 -------- d-----w- c:\program files\MSBuild
2010-06-27 22:47 . 2010-05-09 17:39 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-19 17:27 . 2010-06-19 17:27 -------- d-----w- c:\program files\Bonjour
2010-06-02 14:54 . 2009-01-03 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-05-31 03:18 . 2009-11-24 02:53 -------- d-----w- c:\program files\DOSBox-0.73
2010-05-23 16:54 . 2010-05-23 16:54 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-sse.dll
2010-05-23 16:54 . 2010-05-23 16:54 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcp71.dll
2010-05-23 16:54 . 2010-05-23 16:54 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\jmc.dll
2010-05-23 16:54 . 2010-05-23 16:54 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcr71.dll
2010-05-23 16:54 . 2010-05-23 16:54 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-d3d.dll
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-21 774144]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2008-05-16 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Syslog Watcher 2\\SyslogWatcherPers.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 10:15 PM 22016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/9/2010 5:33 PM 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\TizerBruteForceEx.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\Drivers\DNSFILT.SYS --> c:\windows\system32\Drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\Drivers\FWFILT.SYS --> c:\windows\system32\Drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 5:07 PM 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\Drivers\HTTPFILT.SYS --> c:\windows\system32\Drivers\HTTPFILT.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/9/2010 7:26 PM 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\Drivers\SYMFILT.SYS --> c:\windows\system32\Drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-01-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]

2010-07-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: cmphotocenter.com\www
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\Owner\Local Settings\Application Data\{3DABE8F6-36A7-4769-81C2-0250D4118676}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-29 17:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1400)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\LTMSG.exe
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-07-29 17:45:47 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-29 21:45
ComboFix2.txt 2010-07-29 03:04

Pre-Run: 54,627,561,472 bytes free
Post-Run: 54,613,258,240 bytes free

- - End Of File - - 1543C08D69227E98BCBD2E92E65B4F71

And here is my DDS.txt


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:49:08.42 on Thu 07/29/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2467 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [LTMSG] LTMSG.exe 7
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: cmphotocenter.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111145944343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147826590435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\winnt_x86-msvc\components\libchm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\owner\local settings\application data\{3DABE8F6-36A7-4769-81C2-0250D4118676}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [2010-3-2 22016]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-9 60936]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\tizerbruteforceex.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\drivers\dnsfilt.sys --> c:\windows\system32\drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\drivers\fwfilt.sys --> c:\windows\system32\drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2003-11-23 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\drivers\httpfilt.sys --> c:\windows\system32\drivers\HTTPFILT.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-7-9 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\drivers\symfilt.sys --> c:\windows\system32\drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-07-29 02:31:18 0 d-sha-r- C:\cmdcons
2010-07-29 02:25:58 98816 ----a-w- c:\windows\sed.exe
2010-07-29 02:25:58 77312 ----a-w- c:\windows\MBR.exe
2010-07-29 02:25:58 256512 ----a-w- c:\windows\PEV.exe
2010-07-29 02:25:58 161792 ----a-w- c:\windows\SWREG.exe
2010-07-28 15:46:17 0 d-----w- c:\program files\Sun
2010-07-28 15:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-28 15:32:48 0 ----a-w- c:\windows\system32\REN102.tmp
2010-07-28 15:32:48 0 ----a-w- c:\windows\system32\REN101.tmp
2010-07-28 15:32:48 0 ----a-w- c:\windows\system32\REN100.tmp
2010-07-23 16:52:12 0 d-----w- c:\program files\common files\AOL
2010-07-23 16:51:32 361 ---ha-w- C:\IPH.PH
2010-07-21 16:36:06 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-21 03:50:27 4194371 ----a-w- c:\windows\pfirewall.log.old
2010-07-19 11:59:13 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-19 01:49:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 01:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-13 18:15:00 0 d-----w- c:\docume~1\owner\applic~1\Chaos Software
2010-07-13 18:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Chaos Software
2010-07-12 19:06:07 0 d-----w- c:\program files\CCleaner
2010-07-12 11:22:20 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-12 11:22:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-12 11:22:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-12 11:22:01 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-11 23:00:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-11 22:53:14 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-11 22:53:13 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-11 22:53:12 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-11 22:53:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-11 22:53:11 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-11 22:52:36 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-11 22:52:35 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-11 22:52:35 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-11 22:52:32 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-11 22:52:24 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-11 22:52:22 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-11 22:51:30 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-11 22:51:24 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-11 22:51:24 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-11 22:51:15 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-11 22:51:09 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-07-11 22:51:09 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-07-11 22:51:05 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-07-11 22:51:04 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2010-07-11 22:51:02 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-07-11 22:51:02 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2010-07-11 22:49:57 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-07-11 22:48:59 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2010-07-11 22:47:57 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-07-11 22:46:59 83748 -c--a-w- c:\windows\system32\dllcache\prcp.nls
2010-07-11 22:45:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-07-11 22:44:58 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-11 22:44:55 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-11 22:44:46 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-11 22:44:44 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-11 22:44:43 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-11 22:44:43 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-07-11 22:44:20 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-11 22:44:18 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-11 22:44:10 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-11 22:42:45 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-11 22:41:58 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-11 22:40:59 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-07-11 22:39:59 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2010-07-11 22:38:58 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-07-11 22:37:59 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-07-11 22:36:59 32256 -c--a-w- c:\windows\system32\dllcache\brmfrsmg.exe
2010-07-11 22:35:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-07-11 22:34:58 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 20:30:07 42 ----a-w- c:\windows\system32\AK083E209605E394C.lie
2010-07-11 02:38:05 0 d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-07-11 02:37:51 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-07-09 23:26:41 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-09 23:26:34 0 d-----w- c:\program files\VS Revo Group
2010-07-09 21:33:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-09 21:33:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-07-09 21:33:15 0 d-----w- c:\program files\Avira
2010-07-09 05:35:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-09 05:35:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 16:41:19 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-08 15:39:51 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:39:49 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 15:28:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-08 15:25:25 0 d-----w- c:\program files\common files\iS3
2010-07-08 15:25:24 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-02 13:39:09 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-07-02 13:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications
2010-07-01 14:32:00 0 d-----w- c:\docume~1\owner\applic~1\Microsoft Corporation
2010-06-30 13:59:15 0 d-----w- c:\program files\Microsoft SQL Server
2010-06-30 13:07:45 0 d-----w- c:\program files\Microsoft Synchronization Services
2010-06-30 13:07:43 0 d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-30 12:57:48 0 d-----w- c:\program files\Microsoft Help Viewer
2010-06-30 12:57:48 0 d-----w- c:\program files\common files\Merge Modules
2010-06-30 12:57:47 0 d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-06-30 12:48:17 165 ----a-w- c:\windows\system32\spupdsvc.inf
2010-06-30 00:32:11 0 d-----w- c:\docume~1\owner\applic~1\OpenOffice.org

==================== Find3M ====================

2010-07-28 15:44:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 13:24:03 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-30 23:50:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2008-09-02 03:08:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 17:49:42.00 ===============

I still get the error when I try to update Windows Defender.
I still cannot get the latest updates with MBAM.
Yahoo search results are still redirected.


#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 29 July 2010 - 07:02 PM

QUOTE
I still get the error when I try to update Windows Defender.


Try this:

Click Start then Run. Once the Run box opens, type the following in it, then click OK:

regsvr32 wuaueng.dll

Be sure that there is a space between the 2 in regsvr32 and the w in wuaueng.dll.

After you click OK, the following message should come up:

DllRegisterServer in Wuaueng.dll succeeded

If it does, click OK and then see if you can update Windows Defender. If the message doesn't show up or if you still can't update Windows Defender, let me know.


QUOTE
I still cannot get the latest updates with MBAM


What error message do you get when you try updating MBAM? Also, if you're successful in updating Windows Defender after doing the above step, try updating MBAM.


Finally, is the computer connected to the Internet directly through a modem or through a router?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 29 July 2010 - 07:36 PM

I was able to update Windows Defender after following your instructions.

I tried to update MBAM but got the following error:

MBAM_ERROR_UPDATING(12007, 0, WinHttpSendRequest)

I am connected through a Verizon FiOS modem directly with my desktop computer, the one I'm having troubles with.


#10 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 29 July 2010 - 07:38 PM

I got a message saying updates are ready to be installed on my computer. I know I'm not supposed to make changes to my computer during this process. Should I install the updates?

Edit: Overnight, my computer updated itself, so this question is mute now.

Edited by ohazard, 30 July 2010 - 06:47 AM.


#11 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 30 July 2010 - 01:47 PM

QUOTE
I tried to update MBAM but got the following error:

MBAM_ERROR_UPDATING(12007, 0, WinHttpSendRequest)


That error code means that either your AntiVirus or Firewall or both is blocking the files needed for MBAM to update.

Make sure the following files are excluded from your AntiVirus and Firewall:

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\zlib.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbam.dll
C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref
C:\Windows\System32\drivers\mbam.sys
C:\Windows\System32\drivers\mbamswissarmy.sys


If using a software firewall besides the built in Windows Firewall you'll need to exclude MBAM.EXE from it as well

Once you've excluded those files, try updating MBAM again. Let me know if you're successful or not.


QUOTE
I am connected through a Verizon FiOS modem directly with my desktop computer, the one I'm having troubles with.


Ok, let's try resetting your modem and see if it clears up the redirects.

You may need to print these instructions out to have them handy.

First, shutdown your computer.

Next, unplug your modem and keep it unplugged for 30 seconds. Once 30 seconds had passed, plug in your modem and wait for it to fully come back on.

Once its back on, turn on your computer and see if you still get redirected.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#12 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 30 July 2010 - 03:26 PM

I added all the files you mentioned to the exception list of my Windows Firewall. I do not have any other software firewall for now but I'm still unable to update MBAM.

Also, I unplugged my modem for 30 seconds (after turning off my PC) but I still get redirected search results.

Note: I will be away from my computer starting later this afternoon and unable to respond until late tomorrow evening or early Sunday morning. If I get a response before I go AFK, I'll try to respond ASAP but be aware I may not be around for awhile.


#13 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 30 July 2010 - 07:15 PM

Ok, thanks for the note that you'll be away from the computer for awhile. smile.gif

Let's work on solving the MBAM updating problem, if we can get it to update and do a scan with the most up to date database, it may fix the Yahoo redirect problem.

I need to ask for some help with MBAM not updating, I'll be back ASAP. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:51 PM

Posted 31 July 2010 - 12:11 PM

Thanks to TeMerc for his help and suggestions. smile.gif


First, I'd like for you to delete ComboFix.exe off of your Desktop. Then download the latest version of it from one of the two links below:

Link 1
Link 2

Be sure to save it to your Desktop.


Next, delete CFScript.txt from your Desktop, you will be creating and running a new one.


Step # 1: Run CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    KILLALL::

    File::

    c:\windows\system32\REN102.tmp
    c:\windows\system32\REN101.tmp
    c:\windows\system32\REN100.tmp



  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.







    Note: This CFScript is for use on ohazard's computer only! Do not use it on your computer.


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


After ComboFix is done running, I'd like for you to uninstall MBAM. Once its uninstalled, reboot your computer and then redownload MBAM from Here and reinstall it.

After MBAM has been reinstalled, see if you can update it.


In your next post/reply, I need to see the following:

1. The ComboFix Log that appears after Step 1 has been completed.
2. A fresh DDS Log taken after Step 1 has been completed.
3. Can you update MBAM after uninstalling, then reinstalling it?

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 ohazard

ohazard
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland
  • Local time:08:51 PM

Posted 01 August 2010 - 04:58 AM

Thanks for your patience waiting for these logs. For once I did receive a notice that you had replied so at least that is working.

Below I'm copying the logs requested. But first, when I tried to update MBAM, it got the same error message again.

First the ComboFix Log:

ComboFix 10-07-31.04 - Owner 08/01/2010 4:55.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2451 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\REN100.tmp"
"c:\windows\system32\REN101.tmp"
"c:\windows\system32\REN102.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\REN100.tmp
c:\windows\system32\REN101.tmp
c:\windows\system32\REN102.tmp

.
((((((((((((((((((((((((( Files Created from 2010-07-01 to 2010-08-01 )))))))))))))))))))))))))))))))
.

2010-07-25 12:28 . 2010-07-27 02:19 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-07-21 16:36 . 2010-07-21 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-19 11:59 . 2010-07-19 11:59 -------- d-----w- c:\documents and settings\Owner\Application Data\Uniblue
2010-07-19 01:49 . 2010-07-31 03:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-07-13 18:15 . 2010-07-13 18:17 -------- d-----w- c:\documents and settings\Owner\Application Data\Chaos Software
2010-07-13 18:15 . 2010-07-13 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Chaos Software
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2010-07-12 11:22 . 2010-07-12 11:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-11 02:37 . 2010-07-11 02:37 -------- d-----w- c:\documents and settings\Owner\Application Data\Avira
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-07-08 15:28 . 2010-07-08 15:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-07-08 15:25 . 2010-07-09 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-02 13:37 . 2010-07-02 13:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Applications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 15:47 . 2005-03-29 15:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-28 15:46 . 2010-07-28 15:46 -------- d-----w- c:\program files\Sun
2010-07-28 15:44 . 2010-05-12 00:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-28 15:44 . 2010-07-28 15:41 -------- d-----w- c:\program files\Java
2010-07-27 11:54 . 2010-07-19 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-27 11:46 . 2010-07-23 16:52 -------- d-----w- c:\program files\Common Files\AOL
2010-07-27 03:56 . 2009-12-29 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2010-07-26 02:12 . 2006-07-10 01:35 -------- d-----w- c:\program files\Jewel
2010-07-25 12:34 . 2005-03-20 22:41 -------- d-----w- c:\program files\Common Files\Adobe
2010-07-25 12:29 . 2010-07-25 12:29 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-07-25 12:28 . 2010-07-25 12:28 77184 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2010-07-23 09:41 . 2006-06-11 11:20 -------- d-----w- c:\program files\iTunes
2010-07-23 09:40 . 2005-12-15 22:44 -------- d-----w- c:\program files\iPod
2010-07-23 09:40 . 2007-07-15 18:59 -------- d-----w- c:\program files\Common Files\Apple
2010-07-23 09:34 . 2010-07-23 09:34 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-21 09:32 . 2008-11-05 11:35 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2010-07-21 09:29 . 2006-03-12 12:16 -------- d-----w- c:\documents and settings\Owner\Application Data\Webshots
2010-07-20 17:14 . 2009-11-14 00:28 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2010-07-19 18:01 . 2005-12-22 03:25 -------- d-----w- c:\documents and settings\Owner\Application Data\Roxio
2010-07-15 09:48 . 2010-06-30 00:35 1 ----a-w- c:\documents and settings\Owner\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-12 19:26 . 2009-12-15 00:53 -------- d-----w- c:\documents and settings\Owner\Application Data\Media Player Classic
2010-07-12 19:06 . 2010-07-12 19:06 -------- d-----w- c:\program files\CCleaner
2010-07-12 17:46 . 2010-07-09 05:35 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-12 17:43 . 2009-08-31 19:22 -------- d-----w- c:\program files\KDE
2010-07-12 11:22 . 2010-07-08 16:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-11 22:18 . 2007-08-05 22:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Yahoo!
2010-07-11 20:52 . 2007-05-23 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-07-11 20:52 . 2005-03-21 00:25 -------- d-----w- c:\program files\Yahoo!
2010-07-11 02:38 . 2010-07-11 02:27 -------- d-----w- c:\program files\Windows Defender
2010-07-11 02:38 . 2005-12-15 22:50 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-07-11 02:38 . 2003-05-03 00:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-07-10 13:01 . 2007-03-15 20:47 -------- d-----w- c:\program files\Apple Software Update
2010-07-09 23:26 . 2010-07-09 23:26 -------- d-----w- c:\program files\VS Revo Group
2010-07-09 23:25 . 2009-11-14 23:43 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-09 21:33 . 2010-07-09 21:33 -------- d-----w- c:\program files\Avira
2010-07-09 13:24 . 2005-03-12 21:47 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-07-09 05:35 . 2010-07-09 05:35 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-08 15:42 . 2010-07-08 15:39 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:40 . 2009-08-18 22:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-07-08 15:39 . 2010-07-08 15:39 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 15:25 . 2010-07-08 15:25 -------- d-----w- c:\program files\Common Files\iS3
2010-07-08 11:34 . 2010-02-14 11:40 -------- d-----w- c:\program files\Microsoft Silverlight
2010-07-08 11:33 . 2010-07-08 11:33 436236 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-S-1-5-21-1451323331-2558171538-937877858-1004-0.dat
2010-07-08 11:33 . 2010-07-08 11:33 312878 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\WPFFontCache_v0400-System.dat
2010-07-01 14:32 . 2010-07-01 14:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Microsoft Corporation
2010-06-30 23:50 . 2010-03-12 22:11 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-06-30 14:01 . 2010-06-30 13:57 188128 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCSExpress\10.0\1033\ResourceCache.dll
2010-06-30 14:01 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2010-06-30 13:59 . 2010-06-30 13:59 -------- d-----w- c:\program files\Microsoft SQL Server
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft Synchronization Services
2010-06-30 13:07 . 2010-06-30 13:07 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-06-30 13:04 . 2010-06-30 13:04 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2010-06-30 12:59 . 2010-06-30 11:28 -------- d-----w- c:\program files\Microsoft.NET
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft SDKs
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Microsoft Help Viewer
2010-06-30 12:57 . 2010-06-30 12:57 -------- d-----w- c:\program files\Common Files\Merge Modules
2010-06-30 12:57 . 2009-05-29 02:08 -------- d-----w- c:\program files\MSBuild
2010-06-30 00:32 . 2010-06-30 00:32 -------- d-----w- c:\documents and settings\Owner\Application Data\OpenOffice.org
2010-06-27 22:47 . 2010-05-09 17:39 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-19 17:27 . 2010-06-19 17:27 -------- d-----w- c:\program files\Bonjour
2010-06-02 14:54 . 2009-01-03 21:07 -------- d-----w- c:\documents and settings\Owner\Application Data\gtk-2.0
2010-05-23 16:54 . 2010-05-23 16:54 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-sse.dll
2010-05-23 16:54 . 2010-05-23 16:54 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcp71.dll
2010-05-23 16:54 . 2010-05-23 16:54 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\jmc.dll
2010-05-23 16:54 . 2010-05-23 16:54 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-352192fa-n\msvcr71.dll
2010-05-23 16:54 . 2010-05-23 16:54 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-254e6b4b-n\decora-d3d.dll
2010-05-21 18:14 . 2010-07-11 23:00 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-18 20:35 . 2010-05-18 20:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35 . 2010-05-18 20:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41 . 2004-12-07 21:37 916480 ----a-w- c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"="LTMSG.exe 7" [X]
"BluetoothAuthenticationAgent"="irprops.cpl" [2008-04-14 380416]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-21 774144]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-25 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-06-24 319488]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"nwiz"="nwiz.exe" [2008-05-16 1630208]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-20 198160]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-12-12 722256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-09-17 153608]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2008-05-16 86016]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Savings Bond Wizard\\SBWizard.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires\\EMPIRES.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Syslog Watcher 2\\SyslogWatcherPers.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamgui.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamservice.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\zlib.dll"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.dll"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"=
"c:\\Documents and Settings\\All Users\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\rules.ref"=
"c:\\WINDOWS\\system32\\drivers\\mbam.sys"=
"c:\\WINDOWS\\system32\\drivers\\mbamswissarmy.sys"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [3/2/2010 10:15 PM 22016]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/9/2010 5:33 PM 135336]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\TizerBruteForceEx.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\Drivers\DNSFILT.SYS --> c:\windows\system32\Drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\Drivers\FWFILT.SYS --> c:\windows\system32\Drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [11/23/2003 5:07 PM 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\Drivers\HTTPFILT.SYS --> c:\windows\system32\Drivers\HTTPFILT.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/9/2010 7:26 PM 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\Drivers\SYMFILT.SYS --> c:\windows\system32\Drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2010-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-01-02 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 17:56]

2010-08-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
Trusted Zone: cmphotocenter.com\www
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\WINNT_x86-msvc\components\libchm.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Canon\Easy-PhotoPrint EX\NPEZFFPI.DLL
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\Owner\Local Settings\Application Data\{3DABE8F6-36A7-4769-81C2-0250D4118676}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-01 05:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\atapi]
"ImagePath"=multi:"system32\drivers\atapi.sys\00\00ImagePath\00AppInit_DLLs\00\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2744)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\progra~1\WINDOW~1\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Canon\IJPLM\IJPLMSVC.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\LTMSG.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-08-01 05:26:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-01 09:26
ComboFix2.txt 2010-07-29 21:45
ComboFix3.txt 2010-07-29 03:04

Pre-Run: 52,405,616,640 bytes free
Post-Run: 52,423,376,896 bytes free

- - End Of File - - C55A05D0B0AA65CAA8748CF2F9398273

Now the DDS.txt:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 5:51:21.10 on Sun 08/01/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2502 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RoxioAudioCentral] "c:\program files\roxio\easy cd creator 6\audiocentral\RxMon.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [LTMSG] LTMSG.exe 7
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: cmphotocenter.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: vzTCPConfig - hxxps://essentialsandextras.verizon.com/whatsnext/mainweb_js/vzTCPConfig.CAB
DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} - hxxp://www.symantec.com/techsupp/activedata/nprdtinf.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111145944343
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147826590435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} - hxxp://www.cmphotocenter.com/is/DragDropUploader.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\coreftp\pftpns.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gtu1xqnu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us&tb_uuid=100000000000000002&tb_oid=23-07-2010&tb_mrud=23-07-2010
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\gtu1xqnu.default\extensions\{6e098d65-7d2d-46d4-ada0-2f882a29f795}\platform\winnt_x86-msvc\components\libchm.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\documents and settings\owner\application data\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\owner\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {3DABE8F6-36A7-4769-81C2-0250D4118676} - c:\documents and settings\owner\local settings\application data\{3DABE8F6-36A7-4769-81C2-0250D4118676}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 1UnHooker;1UnHooker;c:\windows\system32\drivers\1UnHooker.sys [2010-3-2 22016]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-9 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-9 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-9 267432]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-9 60936]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 KillTheHooker;KillTheHooker;\??\d:\tdl3 razor\tizerbruteforceex.sys --> d:\tdl3 razor\TizerBruteForceEx.sys [?]
S3 DNSFILT;DNSFILT;\??\c:\windows\system32\drivers\dnsfilt.sys --> c:\windows\system32\drivers\DNSFILT.SYS [?]
S3 FWFILT;FWFILT;\??\c:\windows\system32\drivers\fwfilt.sys --> c:\windows\system32\drivers\FWFILT.SYS [?]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);c:\windows\system32\drivers\hpzs2k12.sys [2003-11-23 50424]
S3 HTTPFILT;HTTPFILT;\??\c:\windows\system32\drivers\httpfilt.sys --> c:\windows\system32\drivers\HTTPFILT.SYS [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-7-9 27064]
S3 SYMFILT;SYMFILT;\??\c:\windows\system32\drivers\symfilt.sys --> c:\windows\system32\drivers\SYMFILT.SYS [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

=============== Created Last 30 ================

2010-08-01 09:49:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-01 09:49:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-01 09:49:03 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-30 00:33:59 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-07-29 02:31:18 0 d-sha-r- C:\cmdcons
2010-07-29 02:25:58 98816 ----a-w- c:\windows\sed.exe
2010-07-29 02:25:58 77312 ----a-w- c:\windows\MBR.exe
2010-07-29 02:25:58 256512 ----a-w- c:\windows\PEV.exe
2010-07-29 02:25:58 161792 ----a-w- c:\windows\SWREG.exe
2010-07-28 15:46:17 0 d-----w- c:\program files\Sun
2010-07-28 15:45:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-23 16:52:12 0 d-----w- c:\program files\common files\AOL
2010-07-23 16:51:32 361 ---ha-w- C:\IPH.PH
2010-07-21 16:36:06 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-07-21 03:50:27 4197240 ----a-w- c:\windows\pfirewall.log.old
2010-07-19 11:59:13 0 d-----w- c:\docume~1\owner\applic~1\Uniblue
2010-07-19 01:49:24 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-07-19 01:49:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-07-13 18:15:00 0 d-----w- c:\docume~1\owner\applic~1\Chaos Software
2010-07-13 18:15:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Chaos Software
2010-07-12 19:06:07 0 d-----w- c:\program files\CCleaner
2010-07-12 11:22:20 0 d-----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-07-12 11:22:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-11 23:00:32 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-11 22:53:14 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2010-07-11 22:53:13 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2010-07-11 22:53:12 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2010-07-11 22:53:12 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2010-07-11 22:53:11 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2010-07-11 22:52:36 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2010-07-11 22:52:35 28288 -c--a-w- c:\windows\system32\dllcache\xjis.nls
2010-07-11 22:52:35 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2010-07-11 22:52:32 19455 -c--a-w- c:\windows\system32\dllcache\wvchntxx.sys
2010-07-11 22:52:24 12063 -c--a-w- c:\windows\system32\dllcache\wsiintxx.sys
2010-07-11 22:52:22 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2010-07-11 22:51:30 8832 -c--a-w- c:\windows\system32\dllcache\wmiacpi.sys
2010-07-11 22:51:24 34890 -c--a-w- c:\windows\system32\dllcache\wlandrv2.sys
2010-07-11 22:51:24 154624 -c--a-w- c:\windows\system32\dllcache\wlluc48.sys
2010-07-11 22:51:15 771581 -c--a-w- c:\windows\system32\dllcache\winacisa.sys
2010-07-11 22:51:09 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll
2010-07-11 22:51:09 53760 -c--a-w- c:\windows\system32\dllcache\wiamsmud.dll
2010-07-11 22:51:05 701386 -c--a-w- c:\windows\system32\dllcache\wdhaalba.sys
2010-07-11 22:51:04 23615 -c--a-w- c:\windows\system32\dllcache\wch7xxnt.sys
2010-07-11 22:51:02 35871 -c--a-w- c:\windows\system32\dllcache\wbfirdma.sys
2010-07-11 22:51:02 31744 -c--a-w- c:\windows\system32\dllcache\wceusbsh.sys
2010-07-11 22:49:57 4992 -c--a-w- c:\windows\system32\dllcache\toside.sys
2010-07-11 22:48:59 6784 -c--a-w- c:\windows\system32\dllcache\smbhc.sys
2010-07-11 22:47:57 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2010-07-11 22:46:59 83748 -c--a-w- c:\windows\system32\dllcache\prcp.nls
2010-07-11 22:45:49 51552 -c--a-w- c:\windows\system32\dllcache\ntgrip.sys
2010-07-11 22:44:58 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2010-07-11 22:44:55 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2010-07-11 22:44:46 2944 -c--a-w- c:\windows\system32\dllcache\msmpu401.sys
2010-07-11 22:44:44 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2010-07-11 22:44:43 98304 -c--a-w- c:\windows\system32\dllcache\msir3jp.dll
2010-07-11 22:44:43 1875968 -c--a-w- c:\windows\system32\dllcache\msir3jp.lex
2010-07-11 22:44:20 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2010-07-11 22:44:18 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2010-07-11 22:44:10 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2010-07-11 22:42:45 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2010-07-11 22:41:58 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2010-07-11 22:40:59 36864 -c--a-w- c:\windows\system32\dllcache\hanjadic.dll
2010-07-11 22:39:59 347550 -c--a-w- c:\windows\system32\dllcache\es56tpi.sys
2010-07-11 22:38:58 419357 -c--a-w- c:\windows\system32\dllcache\dgconfig.dll
2010-07-11 22:37:59 838144 -c--a-w- c:\windows\system32\dllcache\chtbrkr.dll
2010-07-11 22:36:59 32256 -c--a-w- c:\windows\system32\dllcache\brmfrsmg.exe
2010-07-11 22:35:59 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-07-11 22:34:58 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2010-07-11 20:30:07 42 ----a-w- c:\windows\system32\AK083E209605E394C.lie
2010-07-11 02:38:05 0 d-----w- c:\windows\E80F62FF5D3C4A1984099721F2928206.TMP
2010-07-11 02:37:51 0 d-----w- c:\docume~1\owner\applic~1\Avira
2010-07-09 23:26:41 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-09 23:26:34 0 d-----w- c:\program files\VS Revo Group
2010-07-09 21:33:19 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-07-09 21:33:16 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-07-09 21:33:15 0 d-----w- c:\program files\Avira
2010-07-09 05:35:05 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-09 05:35:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-08 15:39:51 4448 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-07-08 15:39:49 240 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg
2010-07-08 15:28:03 0 d-----w- c:\docume~1\alluse~1\applic~1\SITEguard
2010-07-08 15:25:25 0 d-----w- c:\program files\common files\iS3
2010-07-08 15:25:24 0 d-----w- c:\docume~1\alluse~1\applic~1\STOPzilla!
2010-07-02 13:39:09 82696 ----a-w- c:\windows\system32\lmdimon8.dll
2010-07-02 13:37:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Applications

==================== Find3M ====================

2010-07-28 15:44:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-09 13:24:03 36352 ----a-w- c:\windows\system32\drivers\disk.sys
2010-06-30 23:50:39 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2010-05-18 20:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 20:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2008-09-02 03:08:53 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 5:52:45.60 ===============





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users