Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting in Firefox


  • This topic is locked This topic is locked
89 replies to this topic

#1 OhSht

OhSht

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 09 September 2010 - 06:07 PM

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 17:14:01.62 on Fri 09/10/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2777 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wuauclt.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page =
uSearch Bar =
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:6522
mSearchAssistant =
uURLSearchHooks: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
BHO: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: XfireXO Toolbar: {5e5ab302-7f65-44cd-8211-c1d4caaccea3} - c:\program files\xfirexo\tbXfir.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - c:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [AdobeBridge]
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [XBV6RD5SZF] c:\docume~1\admini~1\locals~1\temp\Nlm.exe
uRun: [snffjjfq] c:\documents and settings\administrator\local settings\application data\ekuxwlwvu\khylmllshdw.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime alternative\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
uExplorerRun: [Policies] c:\windows\main\explorer.exe
mExplorerRun: [Policies] c:\windows\main\explorer.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\ccleaner.lnk - c:\program files\ccleaner\CCleaner.exe
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: NoWinKeys = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoResolveTrack = 1 (0x1)
dPolicies-explorer: NoSMMyPictures = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: &Search
IE: Free YouTube Download - c:\documents and settings\administrator\application data\dvdvideosoftiehelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\administrator\application data\dvdvideosoftiehelpers\youtubetomp3.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.164.80,93.188.166.230
TCP: {10301342-E6FD-4ECF-84E0-06C51AC2B05F} = 93.188.164.80,93.188.166.230
TCP: {85E7F6A8-BC42-4479-B265-C10FF1EB4522} = 93.188.164.80,93.188.166.230
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
mASetup: {5BDF2CBF-A6C2-D3DA-FAB0-EBBFFEFBA022} - c:\documents and settings\administrator\application data\Svchost.exe
mASetup: {BC9BC0CF-DCCB-C4CB-D6AE-ACF0FF61D16D} - c:\documents and settings\administrator\application data\winlogon.exe
uASetup: {5BDF2CBF-A6C2-D3DA-FAB0-EBBFFEFBA022} - c:\documents and settings\administrator\application data\Svchost.exe
uASetup: {BC9BC0CF-DCCB-C4CB-D6AE-ACF0FF61D16D} - c:\documents and settings\administrator\application data\winlogon.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\5lvwquy8.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-80-0-CRTm&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5lvwquy8.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5lvwquy8.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\5lvwquy8.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\administrator\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2010-4-1 33824]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
R3 RT80x86;Linksys WPC600N/WMP600N Wireless-N Card Driver;c:\windows\system32\drivers\rt2860.sys [2010-4-5 712704]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\drivers\nielprt.sys --> c:\windows\system32\drivers\nielprt.sys [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-12-17 1684736]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2009-7-31 341504]
S3 XDva337;XDva337;\??\c:\windows\system32\xdva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\xdva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\xdva362.sys --> c:\windows\system32\XDva362.sys [?]

=============== Created Last 30 ================

2010-09-10 22:11:06 176 ----a-w- c:\documents and settings\administrator\defogger_reenable
2010-09-08 21:18:39 0 d-----w- c:\docume~1\admini~1\applic~1\DVDVideoSoftIEHelpers
2010-09-08 21:18:19 0 d-----w- c:\program files\common files\DVDVideoSoft
2010-09-08 20:24:50 2 ----a-w- c:\windows\system32\config.nt
2010-09-08 20:24:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-09-08 19:24:44 0 d-----w- c:\program files\VirtualDJ
2010-08-24 13:58:30 0 d-----w- c:\program files\iPod
2010-08-24 13:58:28 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-24 13:56:10 0 d-----w- c:\program files\Bonjour
2010-08-24 10:22:18 0 d-----w- c:\docume~1\admini~1\applic~1\AVS4YOU
2010-08-24 10:21:36 0 d-----w- c:\program files\common files\AVSMedia
2010-08-24 10:21:33 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-08-24 10:21:33 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-08-24 10:21:33 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-08-24 10:21:33 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-08-24 10:21:33 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-08-24 10:21:33 0 d-----w- c:\program files\AVS4YOU
2010-08-24 10:21:33 0 d-----w- c:\docume~1\alluse~1\applic~1\AVS4YOU
2010-08-24 10:14:07 0 d-----w- c:\program files\OJOsoft
2010-08-24 10:14:07 0 d-----w- c:\program files\common files\Common Share
2010-08-24 09:50:05 0 d-----w- C:\ijji
2010-08-20 20:14:02 197120 ----a-w- c:\windows\Nfokob.exe
2010-08-20 20:05:35 36868 ----a-w- c:\program files\uninst-SoundKeys.exe
2010-08-20 20:02:51 197120 ----a-w- c:\windows\Nfokoa.exe
2010-08-20 20:02:32 75776 --sha-r- c:\windows\system32\ipsecsvc7.dll
2010-08-20 07:32:08 0 d-----w- c:\docume~1\admini~1\applic~1\TS3Client
2010-08-20 07:32:00 0 d-----w- c:\program files\TeamSpeak 3 Client
2010-08-18 20:27:57 0 d-----w- c:\docume~1\admini~1\applic~1\Petroglyph
2010-08-18 19:27:16 0 d-----w- c:\program files\DAEMON Tools Toolbar
2010-08-18 19:27:10 0 d-----w- c:\program files\DAEMON Tools Lite
2010-08-18 17:21:09 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Net
2010-08-18 17:21:06 0 d-----w- c:\docume~1\admini~1\applic~1\DAEMON Tools Net
2010-08-18 01:37:15 98304 ----a-w- c:\windows\system32\CmdLineExt.dll

==================== Find3M ====================

2010-08-18 17:21:28 445936 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-18 02:53:54 50748 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-12 20:09:42 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-08-12 20:09:35 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-09 19:04:40 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-08-14 02:19:56 73728 ----a-w- c:\windows\inf\wg111v3\win7x64\SetVistaDrv64.exe
2009-07-31 20:12:18 341504 ----a-w- c:\windows\inf\wg111v3\wg111v3.sys
2009-07-20 23:20:04 65536 ----a-w- c:\windows\inf\wg111v3\win7x86\SetVistaDrv.exe
2009-06-03 15:36:22 74752 ----a-w- c:\windows\inf\wg111v3\SetDrv64.exe
2009-06-03 15:30:26 49152 ----a-w- c:\windows\inf\wg111v3\SetDrv.exe
2009-04-01 14:49:14 57344 ----a-w- c:\windows\inf\wg111v3\SetVistaDrv.exe
2008-12-12 23:13:32 512000 ----a-w- c:\windows\inf\wg111v3\win7x64\DIFxAPI.dll
2008-12-12 22:57:46 313856 ----a-w- c:\windows\inf\wg111v3\win7x86\DIFxAPI.dll
2006-12-15 16:30:36 98304 ----a-w- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 16:30:36 315392 ----a-w- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 16:30:36 212992 ----a-w- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 16:30:36 20480 ----a-w- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 16:30:36 19968 ----a-w- c:\windows\inf\wg111v3\RTWREFU.EXE
2006-03-16 13:24:24 49664 ----a-w- c:\windows\inf\wg111v3\devcon.exe

============= FINISH: 17:19:56.78 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 15 September 2010 - 01:24 PM

Hello and welcome to Bleeping Computer.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.

Sorry for the delay in replying, the forum is very busy. If you still need help, please do the following:


1. Rerun DDS and post the fresh DDS and Attach.txt logs in your next post/reply.

2. Download and Run Gmer

Please download gmer.zip from Gmer and save it to your desktop.

***Please close any open programs ***

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst


If possible rootkit activity is found, you will be asked if you would like to perform a full scan. Click No.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure that the 'Sections' button is ticked and the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log.
  • Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the Save button, and save the log as gmer.txt somewhere you can easily find it, such as your desktop.

DO NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

Please post the results from the GMER scan in your reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#3 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 15 September 2010 - 04:15 PM

Okay I re-scanned.

Attached Files



#4 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 15 September 2010 - 07:06 PM

Thanks for the logs. smile.gif

From now on, please post the logs I ask for normally, do not attach them unless I request for you to do so.

Your Attach.txt log shows that you have no System Restore points. Did you turn off System Restore? If you did, please turn System Restore on, if you can.


Step # 1: Download HijackThis

Download HijackThis.msi to your Desktop.
  • Doubleclick HijackThis.msi to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Click on Install.
  • It will create a HijackThis icon on the desktop.


Open HiJackThis (if its not already running) and do the following:

Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#5 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 15 September 2010 - 07:25 PM

µTorrent
3DMark06
7-Zip 9.09 beta
A.V.A
Adobe After Effects CS4
Adobe After Effects CS4 Presets
Adobe After Effects CS4 Third Party Content
Adobe AIR
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles AE CS4
Adobe Color Video Profiles CS CS4
Adobe Creative Suite 4 Master Collection
Adobe Creative Suite 4 Master Collection
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe Dynamiclink Support
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash CS4
Adobe Flash CS4 Extension - Flash Lite STI en
Adobe Flash CS4 STI-en
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe Media Player
Adobe Media Player
Adobe MotionPicture Color Files CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Reader 9.3.4
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Soundbooth CS4 Codecs
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Ashampoo Burning Studio 6 FREE
Audacity 1.3.12 (Unicode)
avast! Free Antivirus
Bonjour
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.6 Patch
Call of Duty® 4 - Modern Warfare™ 1.7 Patch
CCleaner
Combat Arms
Compatibility Pack for the 2007 Office system
Connect
Cross Fire En
CrossLoop 2.60
DAEMON Tools Toolbar
Defraggler
Fraps (remove only)
Free Studio version 4.8
High-Logic FontCreator 6.1
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB961118)
ijji REACTOR
Intel® Matrix Storage Manager
iTunes
Java™ 6 Update 17
K-Lite Mega Codec Pack 5.5.1
kuler
LAME v3.98.2 for Audacity
LimeWire 5.4.6
Linksys Wireless Manager
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Excel Viewer
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Word Viewer 2003
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox (3.6.8)
NETGEAR WG111v3 wireless USB 2.0 adapter
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
NVIDIA PhysX
OGA Notifier 2.0.0048.0
ooVoo
OpenOffice.org 3.1
Pando Media Booster
PDF Settings CS4
Photoshop Camera Raw
Pixel Bender Toolkit
QuickTime
QuickTime Alternative 3.1.0
RAD Video Tools
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.0
Recover My Files
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB980232)
Startup Manager 2.4.2
Suite Shared Configuration CS4
TeamSpeak 3 Client
TeamViewer 5
Trapcode Particular v2
Uninstall 1.0.0.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Ventrilo Client
Virtual DJ - Atomix Productions
VLC media player 1.0.3
Windows Internet Explorer 8
WinRAR archiver
Xfire (remove only)
XfireXO Toolbar



#6 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 16 September 2010 - 01:21 PM

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

LimeWire 5.4.6


I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Step # 1: Download and Run GooredFix

Please download GooredFix from one of the locations below and save it to your Desktop
Download Mirror #1
Download Mirror #2
  • Ensure all Firefox windows are closed.
  • To run the tool, double-click it (XP), or right-click and select Run As Administrator (Vista).
  • When prompted to run the scan, click Yes.
  • GooredFix will check for infections, and then a log will appear. Please post the contents of that log in your next reply (it can also be found on your desktop, called GooredFix.txt).



Step # 2 Download and Run CKScanner.exe

Download CKScanner from here:http://downloads.malwareremoval.com/CKScanner.exe
Important - Save it to your desktop.
Doubleclick CKScanner.exe and click Search For Files.
After a very short time, when the cursor hourglass disappears, click Save List To File.
A message box will verify the file saved.
Double-click the CKFiles.txt icon on your desktop and copy/paste the contents in your next reply.



In your next post/reply, I need to see the following:

1. GooredFix Log
2. CKScanner Log

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#7 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 16 September 2010 - 02:08 PM

GooredFix by jpshortstuff (03.07.10.1)
Log created at 15:10 on 17/09/2010 (Administrator)
Firefox version 3.6.8 (en-US)

========== GooredScan ==========

Removing Orphan:
"m3ffxtbr@mywebsearch.com"="C:\Program Files\MyWebSearch\bar\1.bin" -> Success!
Deleting HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions\\{63D4DD92-9860-4E9F-97EC-C43E7B74B74B} -> Success!
Deleting C:\Documents and Settings\Administrator\Local Settings\Application Data\{63D4DD92-9860-4E9F-97EC-C43E7B74B74B} -> Success!

========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [19:47 17/12/2009]
{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [19:48 17/12/2009]

C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5lvwquy8.default\extensions\
DTToolbar@toolbarnet.com [19:27 18/08/2010]
{5e5ab302-7f65-44cd-8211-c1d4caaccea3} [01:17 24/02/2010]
{77b819fa-95ad-4f2c-ac7c-486b356188a9} [21:18 17/12/2009]
{ACAA314B-EEBA-48e4-AD47-84E31C44796C} [21:18 08/09/2010]
{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [03:40 19/08/2010]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [19:48 17/12/2009]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [21:22 17/12/2009]

-=E.O.F=-


CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\administrator\application data\utorrent\getdata recover my files professional v4.0 + crack.torrent
c:\documents and settings\administrator\application data\utorrent\star.wars.-.empire.at.war.keygen-tsrh.rar.torrent
c:\documents and settings\administrator\application data\utorrent\[nti]_star_wars_empire_at_war_keygen_repack-suspects.torrent
c:\program files\adobe\adobe photoshop cs4\presets\brushes\cracksandwalls.abr
c:\program files\adobe\adobe premiere pro cs4\plug-ins\en_us\vstplugins\decrackler1.dll
c:\program files\adobe\adobe premiere pro cs4\plug-ins\en_us\vstplugins\decrackler2.dll
c:\program files\adobe\adobe premiere pro cs4\plug-ins\en_us\vstplugins\decrackler6.dll
hosts 127.0.0.1 practivate.adobe.com
scanner sequence 3.CE.11
----- EOF -----



#8 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 16 September 2010 - 06:51 PM

According to your logs it looks like have some cracked programs on your computer. Installing/Running cracks/warez is not worth it as the programs are more often than not infected or can open up your computer to more infections.

Please uninstall the following programs from your computer:

Recover My Files

Also uninstall any and all Adobe programs which are cracked.

Once you've removed the above programs from your computer, we'll continue. smile.gif

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#9 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 16 September 2010 - 08:03 PM

Okay I removed Recover My Files. None of the Adobe programs are cracked. What now?

#10 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 17 September 2010 - 01:24 PM

Step # 1 Download HostsXpert

Download HostsXpert and unzip it to your desktop.

Open HostsXpert that you earlier unzipped on your Desktop.
  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close HostsXpert

Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually


Please disable avast! Antivirus as it may interfere with the fixes. Remember to re-enable it back before posting the logs.

* Right click on avast! Antivirus icon near the clock and select Stop On-Access Protection.
* Right click on this icon again and select Program Settings.
* On the left, click on Troubleshooting.
* Uncheck (untick) this box - Disable avast! self-defense module.
* Click OK to apply the settings

If the above doesn't work, do the following:

Right click on the toolbar icon, then pull down "avast shield control" and click "Disable for 1 hour".


Step # 2: Download and Run ComboFix

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

*Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

When finished, it shall produce a log for you. Please post C:\ComboFix.txt in your next reply.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#11 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 17 September 2010 - 02:04 PM

Okay but before I do this is there any chance that I will lose my Adobe programs or my files?

#12 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 17 September 2010 - 06:54 PM

QUOTE(OhSht @ Sep 17 2010, 12:04 PM) View Post
Okay but before I do this is there any chance that I will lose my Adobe programs or my files?


Do you mean when you run ComboFix or when you run HostsXpert?

Running ComboFix will delete any bad/malicious files/folders it finds, there's a chance for false postives but if we find any, we can correct it and move the file/folder back to its orginal place.


As for HostsXpert, running it will reset your Hosts file back to normal.

Looking at this line in your Hosts File, your Hosts file is compromised:

hosts 127.0.0.1 practivate.adobe.com

That line would prevent the Adobe software on your computer from connecting to the Internet to see if it has a valid license.

Did you add this entry to your Hosts file?

Edited by km2357, 17 September 2010 - 06:56 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#13 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 17 September 2010 - 08:35 PM

No I did not add that. I bought my computer custom made from this guy and he said he had an extra copy of Cs4 that he could install. Dont know if he stole it or not.
ComboFix 10-09-17.04 - Administrator 09/18/2010 22:01:51.1.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3214 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix2.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\4irre3780IR.exe
c:\documents and settings\Administrator\Application Data\cglogs.dat
c:\documents and settings\Administrator\Application Data\data.dat
c:\documents and settings\All Users\Application Data\Toolbar4
c:\windows\system32\msconfig.exe

Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2010-08-19 to 2010-09-19 )))))))))))))))))))))))))))))))
.

2010-09-14 21:19 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-14 21:19 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-14 21:19 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-14 21:19 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-14 21:19 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-14 21:19 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-14 21:19 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-14 21:19 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-09-14 21:19 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-14 21:11 . 2010-09-14 21:12 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Browser Guard 2010
2010-09-14 21:11 . 2010-09-17 01:21 -------- d-----w- c:\program files\Trend Micro
2010-09-11 20:05 . 2010-09-16 20:23 120 ----a-w- c:\windows\Phomobunito.dat
2010-09-11 20:05 . 2010-09-16 11:45 0 ----a-w- c:\windows\Lmisucatofoke.bin
2010-09-08 21:18 . 2010-09-08 21:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\DVDVideoSoftIEHelpers
2010-09-08 21:18 . 2010-09-08 21:18 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2010-09-08 21:08 . 2010-09-08 21:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\dvdcss
2010-09-08 20:24 . 2010-09-08 20:24 -------- d-----w- c:\program files\Alwil Software
2010-09-08 20:24 . 2010-09-08 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-09-08 19:24 . 2010-09-08 19:24 -------- d-----w- c:\program files\VirtualDJ
2010-08-24 13:58 . 2010-08-24 13:58 -------- d-----w- c:\program files\iPod
2010-08-24 13:58 . 2010-08-24 13:58 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-08-24 13:57 . 2010-08-24 13:57 -------- d-----w- c:\program files\Apple Software Update
2010-08-24 13:56 . 2010-08-24 13:56 -------- d-----w- c:\program files\Bonjour
2010-08-24 10:22 . 2010-08-24 10:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\AVS4YOU
2010-08-24 10:21 . 2010-09-08 20:51 -------- d-----w- c:\program files\Common Files\AVSMedia
2010-08-24 10:21 . 2010-09-08 20:50 -------- d-----w- c:\program files\AVS4YOU
2010-08-24 10:21 . 2010-08-24 10:22 -------- d-----w- c:\documents and settings\All Users\Application Data\AVS4YOU
2010-08-24 10:21 . 2008-08-13 16:22 974848 ----a-w- c:\windows\system32\mfc70.dll
2010-08-24 10:21 . 2008-08-13 16:22 487424 ----a-w- c:\windows\system32\msvcp70.dll
2010-08-24 10:21 . 2008-08-13 16:22 344064 ----a-w- c:\windows\system32\msvcr70.dll
2010-08-24 10:21 . 2008-08-13 16:22 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-08-24 10:21 . 2008-08-13 16:22 24576 ----a-w- c:\windows\system32\msxml3a.dll
2010-08-24 10:14 . 2010-08-24 10:14 -------- d-----w- c:\program files\OJOsoft
2010-08-24 10:14 . 2010-08-24 10:14 -------- d-----w- c:\program files\Common Files\Common Share
2010-08-24 09:50 . 2010-08-24 09:50 -------- d-----w- C:\ijji
2010-08-20 20:05 . 2010-08-20 20:13 36868 ----a-w- c:\program files\uninst-SoundKeys.exe
2010-08-20 07:32 . 2010-08-21 01:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\TS3Client
2010-08-20 07:32 . 2010-08-20 07:32 -------- d-----w- c:\program files\TeamSpeak 3 Client

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 22:25 . 2010-02-24 01:16 -------- d-----w- c:\program files\Xfire
2010-09-18 00:45 . 2010-01-01 21:06 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-17 23:12 . 2009-12-29 03:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-09-17 22:09 . 2009-12-20 02:22 22328 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-09-17 22:09 . 2009-12-20 02:22 103736 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-09-17 20:08 . 2010-01-07 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2010-09-17 20:06 . 2010-02-27 19:29 -------- d-----w- c:\program files\Startup Manager
2010-09-17 11:55 . 2009-12-17 19:57 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-17 01:21 . 2010-09-17 01:21 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-17 01:20 . 2009-12-17 19:44 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-14 21:24 . 2009-12-20 02:49 75792 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-09-08 21:18 . 2010-01-07 01:23 -------- d-----w- c:\program files\DVDVideoSoft
2010-09-07 23:25 . 2010-02-13 13:23 -------- d-----w- c:\documents and settings\Administrator\Application Data\Xfire
2010-09-07 19:38 . 2009-12-17 09:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-09-07 01:39 . 2010-02-24 01:17 -------- d-----w- c:\program files\XfireXO
2010-09-05 16:54 . 2010-08-18 20:27 -------- d-----w- c:\documents and settings\Administrator\Application Data\Petroglyph
2010-09-05 16:54 . 2010-02-13 23:54 -------- d-----w- c:\program files\LucasArts
2010-08-24 13:58 . 2010-01-02 00:12 -------- d-----w- c:\program files\iTunes
2010-08-24 13:58 . 2010-01-02 00:11 -------- d-----w- c:\program files\Common Files\Apple
2010-08-24 13:57 . 2009-12-17 19:53 -------- d-----w- c:\program files\QuickTime Alternative
2010-08-21 17:59 . 2009-12-17 19:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 20:40 . 2010-05-04 23:41 -------- d-----w- c:\program files\Trapcode
2010-08-18 19:39 . 2010-08-18 19:27 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2010-08-18 19:28 . 2010-08-18 19:27 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-08-18 17:24 . 2010-08-18 17:21 -------- d-----w- c:\documents and settings\Administrator\Application Data\DAEMON Tools Net
2010-08-18 17:21 . 2010-01-07 20:09 445936 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-18 17:21 . 2010-08-18 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Net
2010-08-18 02:53 . 2010-01-06 21:38 50748 ---ha-w- c:\windows\system32\mlfcache.dat
2010-08-18 01:37 . 2010-08-18 01:37 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2010-08-17 02:55 . 2010-03-06 11:14 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 18:44 . 2010-01-31 03:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-11 08:18 . 2010-01-31 03:15 2568656 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player.exe
2010-08-11 08:18 . 2010-01-31 03:15 1025992 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\SecurityScan_Release.exe
2010-08-10 23:42 . 2009-12-20 02:49 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-08-08 00:00 . 2010-08-08 00:00 -------- d-----w- c:\program files\Z8Games
2010-07-31 18:12 . 2010-01-01 19:19 765952 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2010-07-21 21:30 . 2010-07-21 21:30 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.5\SetupAdmin.exe
2010-07-09 19:04 . 2010-07-09 19:04 41872 ----a-w- c:\windows\system32\xfcodec.dll
.

------- Sigcheck -------

[-] 2009-08-09 . E88631E21A9CACA06104802F9E915115 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys


[-] 2009-12-16 . B0553D8069F597686BF49DF9F538B612 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll

c:\windows\System32\wscntfy.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]
2009-12-31 17:53 2349080 ----a-w- c:\program files\XfireXO\tbXfir.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{5e5ab302-7f65-44cd-8211-c1d4caaccea3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{5E5AB302-7F65-44CD-8211-C1D4CAACCEA3}"= "c:\program files\XfireXO\tbXfir.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-31 2935480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-12 202256]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-11-19 1657448]
"QuickTime Task"="c:\program files\QuickTime Alternative\QTTask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-21 141608]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-03-08 128512]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CCleaner.lnk - c:\program files\CCleaner\CCleaner.exe [2009-11-24 1738040]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoWinKeys"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Aero Sidebar.lnk]
backup=c:\windows\pss\Aero Sidebar.lnkStartup
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Aero Sidebar.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
backup=c:\windows\pss\LimeWire On Startup.lnkStartup
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\LimeWire On Startup.lnk

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Xfire.lnk]
backup=c:\windows\pss\Xfire.lnkStartup
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\Xfire.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 13:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 08:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2009-06-05 01:03 186904 ----a-w- c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2009-12-03 22:14 429392 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-11-21 02:32 12669544 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-11-21 02:32 110184 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooVoo.exe]
2010-02-10 17:27 18784440 ----a-w- c:\program files\ooVoo\ooVoo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2009-06-25 06:07 17887232 ----a-w- c:\windows\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-17 19:48 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\ijji\\ijji REACTOR\\REACTOR.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\ijjiOptimizer.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3sp.exe"=
"e:\\Program Files\\ijj\\REACTOR.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\\Program Files\\RADVideo\\radvideo.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\NETGEAR\\WG111v3\\WG111v3.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\ijji\\ijji REACTOR\\ijjiOptimizer.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Nexon\\Combat Arms\\Engine.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Nexon\\Combat Arms\\HShield\\HSUpdate.exe"=
"c:\\Nexon\\Combat Arms\\CombatArms_Direct.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"57970:TCP"= 57970:TCP:Pando Media Booster
"57970:UDP"= 57970:UDP:Pando Media Booster
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/14/2010 4:19 PM 165584]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [4/1/2010 9:17 AM 33824]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/14/2010 4:19 PM 17744]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [10/9/2007 1:13 PM 38144]
R3 RT80x86;Linksys WPC600N/WMP600N Wireless-N Card Driver;c:\windows\system32\drivers\rt2860.sys [4/5/2010 6:50 PM 712704]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [12/17/2009 4:16 AM 1684736]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 RTL8187B;NETGEAR WG111v3 Wireless-G USB Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [7/31/2009 3:12 PM 341504]
S3 XDva337;XDva337;\??\c:\windows\system32\XDva337.sys --> c:\windows\system32\XDva337.sys [?]
S3 XDva359;XDva359;\??\c:\windows\system32\XDva359.sys --> c:\windows\system32\XDva359.sys [?]
S3 XDva362;XDva362;\??\c:\windows\system32\XDva362.sys --> c:\windows\system32\XDva362.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [1/7/2010 3:09 PM 445936]
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{5BDF2CBF-A6C2-D3DA-FAB0-EBBFFEFBA022}]
c:\documents and settings\Administrator\Application Data\Svchost.exe [BU]
[HKEY_CURRENT_USER\software\microsoft\active setup\installed components\{BC9BC0CF-DCCB-C4CB-D6AE-ACF0FF61D16D}]
c:\documents and settings\Administrator\Application Data\winlogon.exe [BU]
.
Contents of the 'Scheduled Tasks' folder

2010-09-19 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-09-19 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-839522115-790525478-1801674531-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]

2010-09-09 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-839522115-790525478-1801674531-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 03:09]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:6522
IE: Free YouTube Download - c:\documents and settings\Administrator\Application Data\DVDVideoSoftIEHelpers\youtubedownload.htm
IE: Free YouTube to Mp3 Converter - c:\documents and settings\Administrator\Application Data\DVDVideoSoftIEHelpers\youtubetomp3.htm
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5lvwquy8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-80-0-CRTm&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5lvwquy8.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5lvwquy8.default\extensions\{5e5ab302-7f65-44cd-8211-c1d4caaccea3}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\5lvwquy8.default\extensions\DTToolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - plugin: c:\documents and settings\Administrator\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\documents and settings\Administrator\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-AdobeBridge - (no file)
HKCU-Run-snffjjfq - c:\documents and settings\Administrator\Local Settings\Application Data\ekuxwlwvu\khylmllshdw.exe
HKCU-Run-Kyulevegu - c:\windows\btasiec.dll
HKLM-Run-Evejupofuyi - c:\windows\uzogujekafiya.dll
MSConfigStartUp-DAEMON Tools Pro Agent - c:\program files\DAEMON Tools Pro\DTProAgent.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-uTorrent - c:\program files\uTorrent\uTorrent.exe
ActiveSetup-{5BDF2CBF-A6C2-D3DA-FAB0-EBBFFEFBA022} - c:\documents and settings\Administrator\Application Data\Svchost.exe
ActiveSetup-{BC9BC0CF-DCCB-C4CB-D6AE-ACF0FF61D16D} - c:\documents and settings\Administrator\Application Data\winlogon.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-18 22:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\_asw_aisI.tm~a02908
c:\windows\TEMP\_asw_aisI.tm~a02908\onefile 529 bytes
c:\windows\TEMP\_asw_aisI.tm~a02908\setup.lok 0 bytes

scan completed successfully
hidden files: 3

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-839522115-790525478-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bf,b5,6b,79,cf,1a,06,41,8c,26,e5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,29,f7,6c,63,71,49,9b,46,95,97,36,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1124)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\wpdshserviceobj.dll
c:\windows\system32\portabledevicetypes.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-18 22:13:25 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-19 03:13

Pre-Run: 71,221,035,008 bytes free
Post-Run: 70,921,437,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - BFF5F75C8603A3407083F3B7B9FBC1B7

Edited by OhSht, 17 September 2010 - 09:06 PM.


#14 km2357

km2357

  • Malware Response Team
  • 1,784 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:02:35 PM

Posted 18 September 2010 - 12:28 PM

QUOTE
No I did not add that. I bought my computer custom made from this guy and he said he had an extra copy of Cs4 that he could install. Dont know if he stole it or not.


Thanks for letting me know. smile.gif Since you don't know whether or not your copy of Adobe CS4 is legit or not, my suggestion would be uninstall everything related to CS4 off of your computer. I wouldn't take the chance of having anything that was "stolen" or non-legit on my computer.


Step # 1 Upload Files

Go to Jotti
Copy the following line into the white textbox:
c:\windows\system32\drivers\tcpip.sys
Click Submit.
Please post the results of this scan to this thread.

Repeat the above steps with the following files:

c:\windows\system32\sfcfiles.dll

If Jotti is busy, Go to VirusTotal and scan the file(s) there.


Step # 2 Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    CODE
    :filefind
    proquota.exe
    wscntfy.exe
    sfcfiles.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt


In your next post/reply, I need to see the following:

1. The Jotti/VirusTotal Results
2. SystemLook Log

Edited by km2357, 18 September 2010 - 12:29 PM.

MalWare Removal University Master

Member of ASAP
unite_Invision.png


#15 OhSht

OhSht
  • Topic Starter

  • Members
  • 64 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 18 September 2010 - 04:55 PM

c:\windows\system32\drivers\tcpip.sys- Found Nothing
c:\windows\system32\sfcfiles.dll- Found Nothing

SystemLook 04.09.10 by jpshortstuff
Log created at 18:05 on 19/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "proquota.exe"
No files found.

Searching for "wscntfy.exe"
No files found.

Searching for "sfcfiles.dll"
C:\WINDOWS\system32\sfcfiles.dll --a---- 1614848 bytes [17:52 16/12/2009] [17:52 16/12/2009] B0553D8069F597686BF49DF9F538B612

-= EOF =-




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users