Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Flash and Java update redirect virus


  • This topic is locked This topic is locked
20 replies to this topic

#1 DarkD

DarkD

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 13 May 2014 - 04:32 PM

When watching flash videos I am constantly redirected to websites asking me to update my java and my flash.  They are clearly bad links when they have names like "upstaradown" and "sdafjkg" and "wantidating".  

 

I found a website describing exactly what I have but the removal instructions don't seem very helpful 

 

http://blog.mitechmate.com/remove-upstaradown-com-redirect-java-update-virus-removal/

 

I've already been to your other section

 

http://www.bleepingcomputer.com/forums/t/533621/upstaradown-java-update-virus/

 

On top of what is shown there I ran norman malware removal tool.  But I can confirm as of about half an hour ago that I am still getting redirected. 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by DarkD at 14:12:05 on 2014-05-13
Microsoft Windows XP Home Edition  5.1.2600.3.932.81.1033.18.3327.2181 [GMT -7:00]
.
.
============== Running Processes ================
.
C:\windows\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\conime.exe
C:\windows\system32\wscntfy.exe
C:\windows\System32\alg.exe
C:\windows\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k rpcss
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\System32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - LocalServer32 - <no file>
BHO: DivX Plus Web Player HTML5 <video>: {326E768D-4182-46FD-9C16-1449A49795F4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - <orphaned>
dRun: [ctfmon.exe] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\darkd\startm~1\programs\startup\rainme~1.lnk - c:\program files\rainmeter\Rainmeter.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Translate with ATLAS - <no file>
IE: ATLAS Translation &Editor - <no file>
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347014504579
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1347014497189
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_39-windows-i586.cab
TCP: NameServer = 64.59.144.93 64.59.150.139 192.168.1.1
TCP: Interfaces\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{246714F9-8354-4DF5-843B-CED9AB49A4B5} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{56F40D90-9CC8-4793-8A76-78E6DD342542} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{92CB159A-B373-4FBC-895A-0D61AEC0AACF} : DHCPNameServer = 64.59.144.93 64.59.150.139 192.168.1.1
TCP: Interfaces\{B2858738-7738-48EE-B64C-F3C92D31F324} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{D40F1268-03A4-4685-A455-B232ED465FAE} : NameServer = 208.69.150.252,208.69.150.250
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\darkd\application data\mozilla\firefox\profiles\solfoden.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
FF - plugin: c:\documents and settings\darkd\application data\rcru\plugins\nprcplugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\browser\nppdf32(2).dll
FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.30214.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_12_0_0_77.dll
.
============= SERVICES / DRIVERS ===============
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2012-8-3 36112]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-6-15 218688]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2013-5-23 119056]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2013-3-8 21992]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2014-2-25 14976]
S0 mv61xx;mv61xx; [x]
S0 TfFsMon;TfFsMon; [x]
S0 TFSysMon;TfSysMon; [x]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\vmlaunch\buddyvm.sys --> c:\program files\vmlaunch\BuddyVM.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 jdebnkdbv;Update Center;c:\windows\system32\svchost.exe -k netsvcs [2003-3-31 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011-6-15 1691480]
S3 EagleXNt;EagleXNt; [x]
S3 TfNetMon;TfNetMon; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2003-3-31 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2013-7-20 754856]
S3 XDva401;XDva401; [x]
S4 CLPSLauncher;COMODO LPS Launcher;c:\program files\common files\comodo\launcher_service.exe [2012-8-23 70352]
S4 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2012-3-11 18056]
S4 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-3-11 494968]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\hi-rez studios\HiPatchService.exe [2012-7-1 8704]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2012-11-29 38608]
S4 RoyalRoadsvn;RoyalRoadsvn; [x]
S4 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-10-23 172192]
S4 tvnserver;TightVNC Server;c:\program files\common files\comodo\tvnserver.exe [2012-1-27 828944]
.
=============== File Associations ===============
.
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"
ShellExec: EDITPLUS.EXE: edit=c:\program files\editplus 3\EDITPLUS.EXE
ShellExec: EDITPLUS.EXE: open=c:\program files\editplus 3\EDITPLUS.EXE
ShellExec: sqldeveloper.exe: Open="c:\documents and settings\darkd\desktop\sqldeveloper\sqldeveloper.exe"
.
=============== Created Last 30 ================
.
2014-05-13 07:11:41    98816    ----a-w-    c:\windows\sed.exe
2014-05-13 07:11:41    256000    ----a-w-    c:\windows\PEV.exe
2014-05-13 07:11:41    208896    ----a-w-    c:\windows\MBR.exe
2014-05-13 00:31:28    --------    d-----w-    c:\documents and settings\darkd\local settings\application data\Norman Malware Cleaner
2014-05-12 22:56:37    388096    ----a-r-    c:\documents and settings\darkd\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2014-05-12 22:56:35    --------    d-----w-    c:\program files\Trend Micro
2014-05-10 08:21:55    965232    ----a-w-    c:\program files\mozilla firefox\icuuc52.dll
2014-05-10 08:21:55    1266800    ----a-w-    c:\program files\mozilla firefox\icuin52.dll
2014-05-10 08:21:55    10594416    ----a-w-    c:\program files\mozilla firefox\icudt52.dll
2014-05-09 03:35:53    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-09 03:35:53    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-05-08 02:08:41    --------    d-----w-    c:\program files\ESET
2014-05-08 02:00:31    --------    d-----w-    c:\windows\ERUNT
2014-05-08 01:37:15    536576    ----a-w-    c:\windows\system32\sqlite3.dll
.
==================== Find3M  ====================
.
2014-05-09 03:37:16    107736    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-04-13 19:53:23    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-13 19:53:22    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-03 16:50:56    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-02-26 01:59:05    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-02-24 11:46:36    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-24 11:45:58    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-02-24 11:45:57    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-02-24 11:45:42    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-02-24 10:54:21    385024    ----a-w-    c:\windows\system32\html.iec
2014-02-14 01:27:29    257    ----a-w-    c:\windows\wininit.tmp
.
============= FINISH: 14:12:12.25 ===============
 

Attached Files



BC AdBot (Login to Remove)

 


#2 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 15 May 2014 - 08:40 PM

bumping this because its still a problem, and it hasn't been answered in days.  



#3 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 17 May 2014 - 12:51 PM

Hi DarkD and Welcome to BleepingComputer!

I am currently looking though your logs and will advice you on what to do in my next reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#4 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 17 May 2014 - 04:24 PM

Hello DarkD

I'm Seedy21 and I will be helping you with your issues.

Please note the following information about the malware forum:
 

  • From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by me
  • Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  • Please reply within 48 hours, if you are going to be away for longer please let us know or the topic will be closed for been inactive
  • If you are using Cracked or Illegal software your thread will be closed

Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close.


Combofix is a powerful tool intended by its creator to be used under the direction of an expert. It is NOT for private use. You should NOT use Combofix unless a Malware Removal Expert has told you to. Improper use of this tool can seriously damage your operating system and may even prevent it from starting again. Please read Combofix's Disclaimer.
Plus, if it is run without be asked for by a 'helper', the creator will offer no help if anything goes wrong. As you have run this tool I would like to see the log it has made. This should be at C:\ComboFix.txt

Step 1

No Anti-virus Detected

Your logs indicate that you don't have any anti-virus protection on your machine. This opens it to malware threats.

Here is some examples of FREE Anti-virus. Please note this is for personnal use only.

http://free.avg.com/gb-en/homepage
http://www.avast.com/free-antivirus-download
http://windows.microsoft.com/en-US/windows/security-essentials-download

Step 2

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case ƒÊTorrent). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Step 3

Can you confirm if you live in Canada or USA? Have you added your own DNS entry's?

Step 4

We need to stop DAEMON Tools Lite from running as it has been known to affect the tools we run.

Please download Defogger and save it to your Desktop.
 

  • Double click Defogger.exe to run the program.
    Note Windows Vista /7 should right click and Run As Administrator
  • Click on Disable and then Yes. The Scan may take a while to complete

When this has completed you will get a new window open with the Finished box, click Continue and Close Defogger Down


Step 5

Download 51a612a8b27e2-Zoek.pngzoek.exe from here: http://hijackthis.nl/smeenk/ and save it to your Desktop.

 

  • Close/disable all anti virus and anti malware programs so they do not interfere with the download or execution of Zoek.exe
    You can find instructions how to disable your security applications >>Here<< or >>Here<<
  • Double click zoek.exe to start the program.
  • Copy and paste the following script in the code box:
  • Note: This script is written for usage on this users computer, do not use it on another computer even if the problems are similar !
    autoclean;
    emptyclsid; 
    services_list;
    standardsearch;
    
    
     
  • Close any open browsers.
  • Click the "Run script" button and wait patiently.
  • When finished the logfile will be opened in notepad.
  • If a reboot is needed the logfile will be opened after reboot.
  • The zoek-results.log can also be found on your systemdrive (normally C:\).
  • Please post the logfile for further review in your next reply

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#5 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 18 May 2014 - 12:35 AM

Wow that's a lot of stuff.  Sorry I used combofix, but I knew it was dangerous when I used it.  My logic was that if I had to reformat I wouldn't mind because I actually have a copy of Windows 7 that I just bought but haven't installed yet.  So if I break my computer I have an excuse to upgrade anyways, and I already have my files backed up on an external hard drive.  

 

Yea I know I should probably use an antivirus.  My logic is that as long as I don't do anything sensitive on my computer I should be fine.  Not to mention half the times I've had serious problems on my PC is because of some stupid compatibility issue with anti-viruses.  

 

I live in Canada and I just finished deleting daemon tools

 

I need to restart my computer after uninstalling daemon tools, so I'm gonna do the rest after I finish posting this.  

 

ComboFix 14-05-10.01 - DarkD 2014/05/13   0:13.3.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.932.81.1033.18.3327.2603 [GMT -7:00]
Running from: c:\documents and settings\DarkD\My Documents\Downloads\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\DarkD\Local Settings\Tempals_inst.exe
c:\windows\system32\KB1035627.dat
c:\windows\system32\STEC3.sys
c:\windows\wininit.ini
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_STEC3
-------\Service_STEC3
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-13 to 2014-05-13  )))))))))))))))))))))))))))))))
.
.
2014-05-13 00:31 . 2014-05-13 00:31 -------- d-----w- c:\documents and settings\DarkD\Local Settings\Application Data\Norman Malware Cleaner
2014-05-12 22:56 . 2014-05-12 22:56 388096 ----a-r- c:\documents and settings\DarkD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-05-12 22:56 . 2014-05-12 22:56 -------- d-----w- c:\program files\Trend Micro
2014-05-10 08:21 . 2014-05-07 02:26 965232 ----a-w- c:\program files\Mozilla Firefox\icuuc52.dll
2014-05-10 08:21 . 2014-05-07 02:26 1266800 ----a-w- c:\program files\Mozilla Firefox\icuin52.dll
2014-05-10 08:21 . 2014-05-07 02:26 10594416 ----a-w- c:\program files\Mozilla Firefox\icudt52.dll
2014-05-09 03:35 . 2014-05-09 03:35 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-05-09 03:35 . 2014-04-03 16:51 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-08 02:08 . 2014-05-08 02:08 -------- d-----w- c:\program files\ESET
2014-05-08 02:00 . 2014-05-08 02:00 -------- d-----w- c:\windows\ERUNT
2014-05-08 01:37 . 2010-08-30 15:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-09 03:37 . 2013-12-21 09:51 107736 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-04-13 19:53 . 2012-04-30 15:57 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-04-13 19:53 . 2011-06-16 17:06 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-03 16:50 . 2013-03-17 09:39 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-02-26 01:59 . 2014-03-25 05:28 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-24 11:46 . 2003-03-31 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2003-03-31 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2014-02-14 01:27 . 2012-03-02 05:00 257 ----a-w- c:\windows\wininit.tmp
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\DarkD\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2014-2-23 36024]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IP Phone Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IP Phone Center.lnk
backup=c:\windows\pss\IP Phone Center.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start livePCsupport Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start livePCsupport Client.lnk
backup=c:\windows\pss\Start livePCsupport Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44 500208 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-04 00:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2011-01-20 09:20 1305408 ----a-w- c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-05-20 02:37 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2011-07-27 11:13 434080 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-16 04:04 136176 ----atw- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2003-03-31 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 22:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2008-08-21 17:16 267296 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2011-08-22 08:18 6276408 ----a-w- c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2003-03-31 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2012-12-01 04:53 15524712 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-12-01 04:53 108392 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2012-12-03 15:40 1982312 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2003-03-31 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2003-03-31 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pidgin]
2012-07-05 13:24 49321 ----a-w- c:\program files\Pidgin\pidgin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-08-06 22:37 20117136 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 23:42 20584608 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2014-04-23 22:01 1825984 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-21 03:30 5625624 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-02-07 04:47 295072 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
2012-01-27 15:47 828944 ----a-w- c:\program files\Common Files\Comodo\tvnserver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2011-08-28 01:43 5402115 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2012-06-28 15:40 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Giraffic"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"SwitchBoard"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"BBSvc"=3 (0x3)
"ComputerUpdater Service"=2 (0x2)
"Steam Client Service"=3 (0x3)
"rpcapd"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"HssTrayService"=3 (0x3)
"hshld"=2 (0x2)
"YahooAUService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"AVP"=2 (0x2)
"MBAMService"=2 (0x2)
"HssWd"=2 (0x2)
"HssSrv"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"WRConsumerService"=2 (0x2)
"ThreatFire"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"Secunia PSI Agent"=2 (0x2)
"wlidsvc"=3 (0x3)
"tvnserver"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"RealNetworks Downloader Resolver Service"=2 (0x2)
"McComponentHostService"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"HiPatchService"=2 (0x2)
"MBAMScheduler"=2 (0x2)
"RoyalRoadsvn"=3 (0x3)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\half-life\\hl.exe"=
"c:\\Program Files\\Origin Games\\SimCity\\SimCity\\SimCity.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Dwarfs - F2P\\Dwarfs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Impire\\Impire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Darwinia\\darwinia.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\towns\\Towns.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2 Deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Fallout New Vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\KillingFloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Terraria\\Terraria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Age2HD\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Shadowrun Returns\\Shadowrun.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\TheBridge\\The Bridge.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\War For The Overworld\\WFTO.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Prison Architect\\Prison Architect.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Sid Meier's Civilization V\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\CraftTheWorld\\CraftWorld.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\7 Days To Die\\7DaysToDie.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Banished\\Application-steam-x32.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 1 Source Deathmatch\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Godus\\windows\\godus.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\The Wolf Among Us\\TheWolfAmongUs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Agarest Zero\\AgarestZero.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Orcs Must Die 2\\build\\release\\OrcsMustDie2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SourceSDK\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SirYouAreBeingHunted\\x86\\sir.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dont_starve\\bin\\dontstarve_steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Skyrim\\SkyrimLauncher.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9909:TCP"= 9909:TCP:aiwmu
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
"26357:TCP"= 26357:TCP:BitComet 26357 TCP
"26357:UDP"= 26357:UDP:BitComet 26357 UDP
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [2012/08/03 9:23 36112]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011/06/15 23:43 218688]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011/07/22 9:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011/07/12 14:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2013/05/23 13:11 119056]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2013/03/08 16:19 21992]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010/06/25 10:07 35088]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2014/02/25 17:58 14976]
S0 mv61xx;mv61xx; [x]
S0 TfFsMon;TfFsMon; [x]
S0 TFSysMon;TfSysMon; [x]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S2 jdebnkdbv;Update Center;c:\windows\system32\svchost.exe -k netsvcs [2003/03/31 5:00 14336]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2011/06/15 22:08 1691480]
S3 EagleXNt;EagleXNt; [x]
S3 TfNetMon;TfNetMon; [x]
S3 XDva401;XDva401; [x]
S4 CLPSLauncher;COMODO LPS Launcher;c:\program files\Common Files\Comodo\launcher_service.exe [2012/08/23 9:17 70352]
S4 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2012/03/11 20:13 18056]
S4 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012/03/11 20:13 494968]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [2012/07/01 15:50 8704]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [2012/11/29 21:31 38608]
S4 RoyalRoadsvn;RoyalRoadsvn; [x]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2013/10/23 8:15 172192]
S4 tvnserver;TightVNC Server;c:\program files\Common Files\Comodo\tvnserver.exe [2012/01/27 8:47 828944]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
jdebnkdbv
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 19:53]
.
2014-05-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004Core.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004UA.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-13 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: &Translate with ATLAS
IE: ATLAS Translation &Editor
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 64.59.144.93 64.59.150.139 192.168.1.1
TCP: Interfaces\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{246714F9-8354-4DF5-843B-CED9AB49A4B5}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{56F40D90-9CC8-4793-8A76-78E6DD342542}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{B2858738-7738-48EE-B64C-F3C92D31F324}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{D40F1268-03A4-4685-A455-B232ED465FAE}: NameServer = 208.69.150.252,208.69.150.250
FF - ProfilePath - c:\documents and settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-lollipop - c:\documents and settings\darkd\local settings\application data\lollipop\lollipop.exe
MSConfigStartUp-Optimizer Pro - c:\program files\Optimizer Pro\OptProLauncher.exe
MSConfigStartUp-Smart File Advisor - c:\program files\Smart File Advisor\sfa.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
MSConfigStartUp-VeohPlugin - c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-13 00:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="???楴??汐杵?愠???敗?汐杵? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2808)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\conime.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
.
**************************************************************************
.
Completion time: 2014-05-13  00:34:47 - machine was rebooted
ComboFix-quarantined-files.txt  2014-05-13 07:34
.
Pre-Run: 42,837,721,088 bytes free
Post-Run: 43,572,441,088 bytes free
.
- - End Of File - - 5ACEC2994B5085C1208332C6EA2F1494
FA4B270ECF84BA2B87843C741EBB5D1F


#6 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 18 May 2014 - 01:20 AM

Ok finished.  

 

 
Zoek.exe v5.0.0.0 Updated 14-April-2014
Tool run by DarkD on 2014/05/17 at 22:43:49.09.
Microsoft Windows XP Home Edition 5.1.2600 Service Pack 3 x86
Running in: Normal Mode Internet Access Detected
Launched: C:\Documents and Settings\DarkD\My Documents\Downloads\zoek.exe    [Scan all users] [Script inserted] 
 
==== System Restore Info ======================
 
2014/05/17 22:47:31 Zoek.exe System Restore Point Created Succesfully.
 
==== Deleting CLSID Registry Keys ======================
 
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3049C3E9-B461-4BC5-8870-4C09146192CA} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{3049C3E9-B461-4BC5-8870-4C09146192CA} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1005\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478} deleted successfully
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5C255C8A-E604-49b4-9D64-90988571CECB} deleted successfully
HKEY_CLASSES_ROOT\CLSID\{3049C3E9-B461-4BC5-8870-4C09146192CA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB} deleted successfully
 
==== Deleting CLSID Registry Values ======================
 
HKEY_USERS\S-1-5-21-1417001333-776561741-725345543-1004\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{472734EA-242A-422B-ADF8-83D1E48CC825} deleted successfully
 
==== Running Processes ======================
 
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\Explorer.EXE
C:\windows\system32\wscntfy.exe
C:\windows\System32\alg.exe
C:\windows\system32\conime.exe
C:\Documents and Settings\DarkD\My Documents\Downloads\zoek.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k rpcss
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\System32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalService
C:\windows\System32\svchost.exe -k imgsvc
C:\windows\System32\svchost.exe -k HTTPFilter
 
==== Deleting Services ======================
 
 
==== FireFox Fix ======================
 
ProfilePath: C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default
 
user.js not found
---- FireFox user.js and prefs.js backups ---- 
 
prefs_0517_2256_.backup
 
==== Deleting Files \ Folders ======================
 
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Malwarebytes' Anti-Malware (portable) deleted
C:\Program Files\GUM1FF.tmp deleted
C:\Program Files\Yahoo! deleted
C:\Program Files\Chrome deleted
C:\Documents and Settings\DarkD\Application Data\Microsoft\Internet Explorer\Quick Launch\SpeedUpMyPC.lnk deleted
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! deleted
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Package Cache deleted
C:\Documents and Settings\DarkD\Local Settings\Application Data\avgchrome deleted
C:\Documents and Settings\DarkD\Start Menu\Programs\Create Amazing Presentations.lnk deleted
C:\windows\wininit.tmp deleted
C:\windows\system32\SafeAppRichList.ocx deleted
C:\windows\system32\CUUpdateComponent.ocx deleted
C:\windows\system32\ComputerUpdaterLM.ocx deleted
C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\searchplugins\hotspot-shield-customized-web-search.xml deleted
C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\CT2765711 deleted
C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\CT3007394 deleted
 
==== System Specs ======================
 
Windows: Windows XP Home Edition Service Pack 3 (Build 2600)
Memory (RAM): 3327 MB
CPU Info: Intel® Core™2 Quad CPU    Q6600  @ 2.40GHz
CPU Speed: 2359.0 MHz
Sound Card: Realtek HD Audio output | 
Display Adapters: NVIDIA GeForce 9600 GT | NetMeeting driver | RDPDD Chained DD
Monitors: 1x; Acer X223W  | 
Screen Resolution: 1680 X 1050 - 32 bit
Network: Network Present
Network Adapters: Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller - Packet Scheduler Miniport | Anchorfree HSS Adapter - Packet Scheduler Miniport
CD / DVD Drives: 1x (D: | ) D: HL-DT-STDVDRAM GH20NS15
Ports: COM1 LPT Port NOT Present. 
Mouse: 16 Button Wheel Mouse Present
Hard Disks: C:  280.5GB
Hard Disks - Free: C:  37.5GB
Manufacturer *: American Megatrends Inc.
BIOS Info: AT/AT COMPATIBLE | 02/25/10 | A_M_I_ - 2001025
Time Zone: Pacific Standard Time
Motherboard *: ASUSTeK Computer INC. P5Q
Country: Japan 
Language: JPN 
 
==== System Specs (Software) ======================
 
Internet Explorer version: 8.0.6001.18702 
Mozilla Firefox version: 29.0.1 (x86 en-US)
Google Chrome version: 34.0.1847.137
Adobe Reader version: 10.1.9.22
Flash Player version: 12.0.0.77
 
==== Files Recently Created / Modified ======================
 
====== C:\windows ====
2014-05-16 03:37:21 33141C544B5B22F3E50089ED6A999843 248 ----a-w- C:\windows\RomeTW.ini
2014-05-13 07:11:41 F042EE4C8D66248D9B86DCF52ABAE416 256000 ----a-w- C:\windows\PEV.exe
2014-05-13 07:11:41 9E05A9C264C8A908A8E79450FCBFF047 80412 ----a-w- C:\windows\grep.exe
2014-05-13 07:11:41 5E832F4FAF5F481F2EAF3B3A48F603B8 68096 ----a-w- C:\windows\zip.exe
2014-05-13 07:11:41 0297C72529807322B152F517FDB0A9FC 406528 ----a-w- C:\windows\SWSC.exe
2014-05-13 07:11:41 0277C027A26428DB64EF4F64F52BB4FD 208896 ----a-w- C:\windows\MBR.exe
====== C:\DOCUME~1\DarkD\LOCALS~1\Temp ====
====== Java Cache =====
====== C:\windows\system32 =====
2014-05-08 01:37:15 0DC5AF80D059DEC792B665ED598C6567 536576 ----a-w- C:\windows\System32\sqlite3.dll
====== C:\windows\system32\drivers =====
2014-05-09 03:35:53 5F7B035B533B87EA936F8B04493879CC 50648 ----a-w- C:\windows\System32\drivers\mbamchameleon.sys
====== C:\windows\Tasks ======
====== C:\windows\Temp ======
======= C:\Program Files =====
2014-05-12 22:56:35 -------- d-----w- C:\Program Files\Trend Micro
2014-05-08 02:08:41 -------- d-----w- C:\Program Files\ESET
======= C: =====
====== C:\Documents and Settings\DarkD\Application Data ======
2014-05-16 03:37:31 -------- d-----w- C:\Documents and Settings\DarkD\Start Menu\Programs\Rome - Total War\Rome - Total War Help
2014-05-16 03:37:24 -------- d-----w- C:\Documents and Settings\DarkD\Start Menu\Programs\Rome - Total War
2014-05-13 00:31:28 -------- d-----w- C:\Documents and Settings\DarkD\Local Settings\Application Data\Norman Malware Cleaner
====== C:\Documents and Settings\DarkD ======
2014-05-18 05:42:07 D41D8CD98F00B204E9800998ECF8427E 0 ----a-w- C:\Documents and Settings\DarkD\defogger_reenable
2014-05-17 04:47:44 8375A51E60EF25560C707EF8F7B13231 106955778 ----a-w- C:\Documents and Settings\DarkD\Desktop\Rome Total War - patch 1.3.exe
2014-05-17 04:42:30 67F506B04D52DD33D0F3ACA3F1827A0A 29028189 ----a-w- C:\Documents and Settings\DarkD\Desktop\rome_total_war_patch_1-5.exe
 
====== C: exe-files ==
2014-05-18 05:41:41 9146F21288AB749C4C729343F5F285A1 50477 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\Defogger.exe
2014-05-17 04:47:44 8375A51E60EF25560C707EF8F7B13231 106955778 ----a-w- C:\Documents and Settings\DarkD\Desktop\Rome Total War - patch 1.3.exe
2014-05-17 04:42:30 67F506B04D52DD33D0F3ACA3F1827A0A 29028189 ----a-w- C:\Documents and Settings\DarkD\Desktop\rome_total_war_patch_1-5.exe
2014-05-16 20:53:58 A742CCF738AEFEF3078683BD0E803215 739808 ----a-w- C:\Documents and Settings\DarkD\Local Settings\Application Data\Google\Update\Download\{4DC8B4CA-1BDA-483E-B5FA-D3C12E15B62D}\34.0.1847.137\34.0.1847.137_34.0.1847.131_chrome_updater.exe
2014-05-16 03:15:06 77A94CBB70105C12FAB9800D89C209C7 236960 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\FreeZipSetup-N9UDJTW27.exe
2014-05-15 22:17:06 A587BDADDA1B70E455C23D6E2967D71A 236960 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\FreeZipSetup-N1sqcIH55.exe
2014-05-14 06:56:30 4D02C299851D6A9C07B0EB11FBF8A564 1056256 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\FRST.exe
2014-05-13 02:36:59 9AA5A93712C584ACDCAA7EEF9D25EF4D 300832 ----a-w- C:\Documents and Settings\DarkD\Desktop\tcpview\Tcpview.exe
2014-05-13 02:36:59 0D9540F8ED3EC25CF65B21454BD72123 199544 ----a-w- C:\Documents and Settings\DarkD\Desktop\tcpview\Tcpvcon.exe
=== C: other files ==
2014-05-17 04:43:20 732FAA70F964E78FC5DB5175AC6815EE 106525099 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\rome_totalwar_patch_1-3.zip
2014-05-17 04:40:36 1322A28AF02FD287A036BCF845DACD24 28829892 ----a-w- C:\Documents and Settings\DarkD\My Documents\Downloads\rome_total_war_patch_1-5.zip
2014-05-16 03:22:17 072483D4B8D3C67C7300710E14C21CB8 2101440 ----a-w- C:\Program Files\Steam\steamapps\common\Half-Life 2 Deathmatch\bin\itemtest.com
2014-05-16 03:17:42 072483D4B8D3C67C7300710E14C21CB8 2101440 ----a-w- C:\Program Files\Steam\steamapps\common\Counter-Strike Source\bin\itemtest.com
2014-05-13 21:11:38 8B968045D75783A09592C3105F2865DA 688992 ------r- C:\Documents and Settings\DarkD\My Documents\Downloads\dds.com
 
==== Startup Registry Enabled ======================
 
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE"
 
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"
 
==== Startup Registry Disabled ======================
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Adobe ARM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeARM"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdobeAAMUpdater-1.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterStartupUtility"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\UpdaterStartupUtility.exe\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Alcmtr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ALCMTR"
"hkey"="HKLM"
"command"="ALCMTR.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\"rundll32"
"hkey"="HKLM"
"command"="\"rundll32.exe\" bthprops.cpl,,BluetoothAuthenticationAgent"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTFMON"
"hkey"="HKCU"
"command"="C:\\windows\\system32\\CTFMON.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DAEMON Tools Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DTLite"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\DAEMON Tools Lite\\DTLite.exe\" -autorun"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DivXMediaServer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DivXMediaServer"
"hkey"="HKLM"
"command"="C:\\Program Files\\DivX\\DivX Media Server\\DivXMediaServer.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DivXUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DivXUpdate"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\DivX\\DivX Update\\DivXUpdate.exe\" /CHECKNOW"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DWQueuedReporting]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dwtrig20"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Google Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleUpdate"
"hkey"="HKCU"
"command"="\"C:\\Documents and Settings\\DarkD\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMEKRMIG6.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMEKRMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KBD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KBD"
"hkey"="HKLM"
"command"="C:\\HP\\KBD\\KBD.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\LifeChat]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LifeChat"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Microsoft LifeChat\\LifeChat.exe\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Messenger (Yahoo!)]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe\" /background"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDLL32"
"hkey"="HKLM"
"command"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="C:\\Program Files\\NVIDIA Corporation\\nview\\nwiz.exe /installquiet"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pidgin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pidgin"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Pidgin\\pidgin.exe\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RTHDCPL]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RTHDCPL"
"hkey"="HKLM"
"command"="RTHDCPL.EXE"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Steam\\Steam.exe\" -silent"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SUPERAntiSpyware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SUPERAntiSpyware"
"hkey"="HKCU"
"command"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"c:\\program files\\real\\realplayer\\update\\realsched.exe\"  -osboot"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\tvncontrol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tvnserver"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Comodo\\tvnserver.exe\" -controlservice -slave"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Vidalia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="vidalia"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Vidalia Bundle\\Vidalia\\vidalia.exe\""
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Winamp\\winampa.exe\""
 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\desktop.ini"
"backup"="C:\\WINDOWS\\pss\\desktop.iniStartup"
"command"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\desktop.ini"
"item"="desktop"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\desktop.ini"
"backup"="C:\\WINDOWS\\pss\\desktop.iniCommon Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\desktop.ini"
"item"="desktop"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IP Phone Center.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\IP Phone Center.lnk"
"backup"="C:\\WINDOWS\\pss\\IP Phone Center.lnkCommon Startup"
"command"="C:\\PROGRA~1\\IPPHON~1\\IPCenter.exe $HideBuddyList$"
"item"="IP Phone Center"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\McAfee Security Scan Plus.lnk"
"backup"="C:\\WINDOWS\\pss\\McAfee Security Scan Plus.lnkCommon Startup"
"command"="C:\\PROGRA~1\\MCAFEE~1\\30D80A~1.285\\SSSCHE~1.EXE "
"item"="McAfee Security Scan Plus"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Secunia PSI Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Secunia PSI Tray.lnkCommon Startup"
"command"="C:\\PROGRA~1\\Secunia\\PSI\\psi_tray.exe "
"item"="Secunia PSI Tray"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start livePCsupport Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Start livePCsupport Client.lnk"
"backup"="C:\\WINDOWS\\pss\\Start livePCsupport Client.lnkCommon Startup"
"command"="C:\\PROGRA~1\\COMODO\\LIVEPC~1\\launcher.exe \"unit_manager.exe\""
"item"="Start livePCsupport Client"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Windows Search.lnk"
"backup"="C:\\WINDOWS\\pss\\Windows Search.lnkCommon Startup"
"command"="C:\\PROGRA~1\\WI459E~1\\WINDOW~1.EXE  /startup"
"item"="Windows Search"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^desktop.ini]
"path"="C:\\Documents and Settings\\DarkD\\Start Menu\\Programs\\Startup\\desktop.ini"
"backup"="C:\\WINDOWS\\pss\\desktop.iniStartup"
"command"="C:\\Documents and Settings\\DarkD\\Start Menu\\Programs\\Startup\\desktop.ini"
"item"="desktop"
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
"path"="C:\\Documents and Settings\\DarkD\\Start Menu\\Programs\\Startup\\OpenOffice.org 3.3.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 3.3.lnkStartup"
"command"="C:\\PROGRA~1\\OPENOF~1.ORG\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 3.3"
 
 
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services]
 
 
==== Startup Folders ======================
 
2014-03-21 20:22:29 1576 ----a-w- C:\Documents and Settings\DarkD\Start Menu\Programs\Startup\Rainmeter.lnk
 
==== Task Scheduler Jobs ======================
 
C:\windows\tasks\Adobe Flash Player Updater.job --a------ C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014/04/13 12:53]
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004Core.job --a------ C:\Documents and Settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011/06/15 21:04]
C:\windows\tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004UA.job --a------ C:\Documents and Settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011/06/15 21:04]
C:\windows\tasks\Microsoft Windows XP End of Service Notification Logon.job --a------ C:\windows\system32\xp_eos.exe [2014/02/25 18:59]
C:\windows\tasks\Microsoft Windows XP End of Service Notification Monthly.job --a------ C:\windows\system32\xp_eos.exe [2014/02/25 18:59]
 
==== Firefox Extensions ======================
 
ProfilePath: C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default
- Google Translator for Firefox - %ProfilePath%\extensions\translator@zoli.bod.xpi
- DownThemAll - %ProfilePath%\extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8}.xpi
 
AppDir: C:\Program Files\Mozilla Firefox
- Undetermined - %AppDir%\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA}
- Undetermined - %AppDir%\browser\extensions\afext@anchorfree.com
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
 
==== Firefox Plugins ======================
 
Profilepath: C:\Documents and Settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default
95812430959AE88CDD0301AB3A71913B - C:\windows\system32\Macromed\Flash\NPSWF32_12_0_0_77.dll - Shockwave Flash
01D93217A9EE48DD37072B671378CC9C - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll - Silverlight Plug-In
DDC58F83CB93B89F7261CDFCFC6E7832 - C:\Documents and Settings\DarkD\Application Data\rcru\plugins\nprcplugin.dll - Raidcall plugin
3220B1254AEF7A191187EC03F51B3D61 - C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll - Adobe Acrobat
B2576571746839180833E048AC2CCA5C - C:\Program Files\Adobe\Reader 10.0\Reader\browser\nppdf32.dll - Adobe Acrobat
3D928B3FE97C403A33F803B3D1A260C9 - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll - Google Update
AB87EEFFD18F2BAAFC274E7075EA6C67 - c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll - Windows Presentation Foundation / Windows Presentation Foundation
28000D7EEB2FD95A36E1A7539F599C3B - C:\Program Files\Windows Media Player\npdrmv2.dll - Microsoft? DRM
5D41BCD19A3D90E4EBB58A6BFB79E4F7 - C:\Program Files\Windows Media Player\npdsplay.dll - Windows Media Player Plug-in Dynamic Link Library
8B6884E3E1E5F8ABA5FA0C6A2B13181D - C:\Program Files\Windows Media Player\npwmsdrm.dll - Microsoft? DRM
28986F0A2342A033345EF9E70D395E4F - c:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrlui.dll - Microsoft® Silverlight
 
 
==== Chrome Look ======================
 
Elapsed - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ajffocjdcmpgjmdfdfkdfdbkjafbkcke
Google Docs - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake
Google Drive - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf
YouTube - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo
Google Search - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf
Google Wallet - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
Gmail - DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia
 
==== Set IE to Default ======================
 
Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{014DB5FA-EAFB-4592-A95B-F44D3EE87FA9}] not found
 
New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes]
"DefaultScope"="{6A1806CD-94D4-4689-BA73-E35EA1EA9990}"
 
==== All HKCU SearchScopes ======================
 
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing  Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"
 
==== Deleting Registry Keys ======================
 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{05379267-981F-4FC9-C526-0D1D5DFAE8FC} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{0F49E1C1-A23C-0F95-FCA8-99E20A18B074} deleted successfully
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{6A803DA6-F9E8-760F-21C0-EB995088BF38} deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite deleted successfully
 
==== HijackThis Entries ======================
 
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\ie\DivXHTML5\DivXHTML5.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347014504579
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1347014497189
O17 - HKLM\System\CCS\Services\Tcpip\..\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{246714F9-8354-4DF5-843B-CED9AB49A4B5}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{56F40D90-9CC8-4793-8A76-78E6DD342542}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2858738-7738-48EE-B64C-F3C92D31F324}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CCS\Services\Tcpip\..\{D40F1268-03A4-4685-A455-B232ED465FAE}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CS1\Services\Tcpip\..\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
O17 - HKLM\System\CS2\Services\Tcpip\..\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\System32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
 
==== Empty IE Cache ======================
 
C:\Documents and Settings\DarkD\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat will be deleted at reboot
 
==== Empty FireFox Cache ======================
 
C:\Documents and Settings\DarkD\Local Settings\Application Data\Mozilla\Firefox\Profiles\solfoden.default\Cache emptied successfully
 
==== Empty Chrome Cache ======================
 
C:\Documents and Settings\DarkD\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache emptied successfully
 
==== Empty All Flash Cache ======================
 
Flash Cache Emptied Successfully
 
==== Empty All Java Cache ======================
 
Java Cache cleared successfully
 
==== C:\zoek_backup content ======================
 
C:\zoek_backup (files=173 folders=57 8905237 bytes)
 
==== Empty Temp Folders ======================
 
C:\Documents and Settings\Administrator\Local Settings\temp emptied successfully
C:\Documents and Settings\DarkD\Local Settings\temp will be emptied at reboot
C:\Documents and Settings\Default User\Local Settings\temp emptied successfully
C:\Documents and Settings\LocalService\Local Settings\temp emptied successfully
C:\Documents and Settings\NetworkService\Local Settings\temp emptied successfully
C:\Documents and Settings\UpdatusUser\Local Settings\temp emptied successfully
C:\windows\Temp will be emptied at reboot
 
==== After Reboot ======================
 
==== Empty Temp Folders ======================
 
C:\windows\Temp successfully emptied
C:\DOCUME~1\DarkD\LOCALS~1\Temp successfully emptied
 
==== Deleting Files / Folders ======================
 
"C:\Documents and Settings\DarkD\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat" not found
 
==== EOF on 2014/05/17 at 23:08:06.92 ======================


#7 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 18 May 2014 - 01:43 PM

Hi DarkD
 

have a copy of Windows 7 that I just bought but haven't installed yet.  So if I break my computer I have an excuse to upgrade anyways, and I already have my files backed up on an external hard drive.


Great, I would highly recommend Installing this as Microsoft have stopped supporting Windows XP. I personally would start from scratch instead of upgrading to Windows 7, but the choice is down to you.
 

My logic is that as long as I don't do anything sensitive on my computer I should be fine.


Am afraid it doesn't work like that please read the following articles as they explain why you need anti-virus software

htg explains why you need an antivirus on windows no matter how careful you are
 
Why do I need antivirus and antispyware software?

Step 1

We need to run a Command with Command Prompt

Click on Start, click on Run and type in "cmd.exe" and click Run.
Type in the following line followed by clicking Enter

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdebnkdbv /s > cmd.txt && Notepad cmd.txt

If they was no errors please exit Command Prompt.

This will have opened a Textfile called cmd. Please copy and paste the contents into your next reply.


Edited by seedy21, 18 May 2014 - 01:45 PM.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#8 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 18 May 2014 - 04:15 PM

Ill download an antivirus then.  But what I'm afraid of is that all those traces from previous antiviruses I have left on my computer will affect them somehow.  I think I deleted Comodo the wrong way without thinking and its never really been disabled.  Is it safe if I just delete the comodo folder in the common folder section?  I am guessing there might be some dependancies, but the core of comodo is already gone.  The new antivirus I downloaded is avg, and I don't want to install it until these other AV remnants are cleaned up.  
 
Oh and what do you mean by "start from scratch instead of updating to windows 7."
 
! REG.EXE VERSION 3.0
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdebnkdbv
    DisplayName REG_SZ Update Center
    Type REG_DWORD 0x20
    Start REG_DWORD 0x2
    ErrorControl REG_DWORD 0x0
    ImagePath REG_EXPAND_SZ %SystemRoot%\system32\svchost.exe -k netsvcs
    ObjectName REG_SZ LocalSystem
    Description REG_SZ Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdebnkdbv\Parameters
    ServiceDll REG_EXPAND_SZ C:\WINDOWS\system32\ixyaacaf.dll
 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jdebnkdbv\Enum
    0 REG_SZ Root\LEGACY_JDEBNKDBV\0000
    Count REG_DWORD 0x1
    NextInstance REG_DWORD 0x1

Edited by DarkD, 19 May 2014 - 12:56 AM.


#9 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 19 May 2014 - 10:17 AM

Hi DarkD
 

Oh and what do you mean by "start from scratch instead of updating to windows 7."


Sometimes with some version's of Windows you can upgrade the system files instead of having to start from a clean install. I had a quick look and am afraid they isn't an option from Windows XP to Windows 7.
Step 1

We need to check your Network Connection.

Click Start->Control Panel->select and double click Network and internet connections->select and double click Network Connections.


Double-click the Local Area Connection icon; highlight Internet Protocol (TCP/IP) tab in the Local Area Connection Properties window that appears.


Double click it or click Properties. The TCP/IP Properties window will display.

Select Obtain an IP address automatically and Obtain DNS Server address automatically These may be selected by default. Then click OK to save setting.

Step 2

please download Combofix from one of the following locations and save it on your Desktop:

Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')
 

KILLALL::

Driver::
jdebnkdbv

File::
C:\WINDOWS\system32\ixyaacaf.dll

DDS::
TCP: Interfaces\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{246714F9-8354-4DF5-843B-CED9AB49A4B5} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{56F40D90-9CC8-4793-8A76-78E6DD342542} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{B2858738-7738-48EE-B64C-F3C92D31F324} : NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{D40F1268-03A4-4685-A455-B232ED465FAE} : NameServer = 208.69.150.252,208.69.150.250
ShellExec: BitComet.exe: open="c:\program files\bitcomet\BitComet.exe"

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26357:TCP"=-
"26357:UDP"=-

JavaClearCache::

Reboot::


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

CFScriptB-4.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


Step 3

How is your machine running now? Do you still get the Fake Java pages?


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#10 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 19 May 2014 - 02:59 PM

Ok, I was planning on doing a clean install anyways. 

 

Step 1 was already done before I changed anything. 

 

The problems I experienced before only happened at the odd time, so I can't say if its worked yet.  If I don't reply, then take that as a good thing. 

 

ComboFix 14-05-19.01 - DarkD 19/05/2014  12:23:10.4.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.932.81.1033.18.3327.2687 [GMT -7:00]
Running from: c:\documents and settings\DarkD\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\DarkD\Desktop\CFScript.txt
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
FILE ::
"c:\windows\system32\ixyaacaf.dll"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_JDEBNKDBV
-------\Service_jdebnkdbv
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-19 to 2014-05-19  )))))))))))))))))))))))))))))))
.
.
2014-05-18 21:17 . 2014-05-18 21:18    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVAST Software
2014-05-18 06:05 . 2014-05-18 05:43    24064    ----a-w-    c:\windows\zoek-delete.exe
2014-05-18 05:43 . 2014-05-18 05:56    --------    d-----w-    C:\zoek_backup
2014-05-17 04:48 . 2002-12-05 21:10    155648    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2014-05-17 04:48 . 2002-12-02 20:33    237568    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2014-05-17 04:48 . 2014-05-17 04:48    163972    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2014-05-17 04:48 . 2005-03-24 12:18    692224    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2014-05-17 04:48 . 2002-12-02 22:22    5632    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2014-05-17 04:48 . 2002-12-02 20:33    57344    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2014-05-17 04:48 . 2014-05-17 04:48    282756    ----a-w-    c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2014-05-14 09:50 . 2014-05-14 09:52    --------    d-----w-    C:\FRST
2014-05-13 00:31 . 2014-05-13 00:31    --------    d-----w-    c:\documents and settings\DarkD\Local Settings\Application Data\Norman Malware Cleaner
2014-05-12 22:56 . 2014-05-12 22:56    388096    ----a-r-    c:\documents and settings\DarkD\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2014-05-12 22:56 . 2014-05-12 22:56    --------    d-----w-    c:\program files\Trend Micro
2014-05-10 08:21 . 2014-05-07 02:26    965232    ----a-w-    c:\program files\Mozilla Firefox\icuuc52.dll
2014-05-10 08:21 . 2014-05-07 02:26    1266800    ----a-w-    c:\program files\Mozilla Firefox\icuin52.dll
2014-05-10 08:21 . 2014-05-07 02:26    10594416    ----a-w-    c:\program files\Mozilla Firefox\icudt52.dll
2014-05-09 03:35 . 2014-05-09 03:35    --------    d-----w-    c:\program files\Malwarebytes Anti-Malware
2014-05-09 03:35 . 2014-04-03 16:51    50648    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2014-05-08 02:08 . 2014-05-08 02:08    --------    d-----w-    c:\program files\ESET
2014-05-08 02:00 . 2014-05-08 02:00    --------    d-----w-    c:\windows\ERUNT
2014-05-08 01:37 . 2010-08-30 15:34    536576    ----a-w-    c:\windows\system32\sqlite3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-09 03:37 . 2013-12-21 09:51    107736    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2014-04-13 19:53 . 2012-04-30 15:57    692400    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2014-04-13 19:53 . 2011-06-16 17:06    70832    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2014-04-03 16:50 . 2013-03-17 09:39    23256    ----a-w-    c:\windows\system32\drivers\mbam.sys
2014-02-26 01:59 . 2014-03-25 05:28    13312    ------w-    c:\windows\system32\xp_eos.exe
2014-02-24 11:46 . 2003-03-31 12:00    920064    ----a-w-    c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2003-03-31 12:00    43520    ----a-w-    c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2003-03-31 12:00    1469440    ----a-w-    c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2003-03-31 12:00    18944    ----a-w-    c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2004-08-04 05:59    385024    ----a-w-    c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\DarkD\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2014-2-23 36024]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk *\0bootdelete\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IP Phone Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IP Phone Center.lnk
backup=c:\windows\pss\IP Phone Center.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start livePCsupport Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start livePCsupport Client.lnk
backup=c:\windows\pss\Start livePCsupport Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57    959904    ----a-w-    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44    500208    ----a-w-    c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-04 00:13    64104    ----a-w-    c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12    110592    ----a-w-    c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12    15360    ----a-w-    c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-05-20 02:37    450560    ----a-w-    c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37    1263952    ----a-w-    c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2011-07-27 11:13    434080    ----a-w-    c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-16 04:04    136176    ----atw-    c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2003-03-31 12:00    44032    ----a-w-    c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31    208952    ----a-w-    c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 22:44    61440    ----a-w-    c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2008-08-21 17:16    267296    ----a-w-    c:\program files\Microsoft LifeChat\LifeChat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12    3872080    ----a-w-    c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2003-03-31 12:00    59392    ----a-w-    c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2012-12-01 04:53    15524712    ----a-w-    c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-12-01 04:53    108392    ----a-w-    c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2012-12-03 15:40    1982312    ----a-w-    c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2003-03-31 12:00    455168    ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2003-03-31 12:00    455168    ----a-w-    c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pidgin]
2012-07-05 13:24    49321    ----a-w-    c:\program files\Pidgin\pidgin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-08-06 22:37    20117136    ----a-w-    c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 23:42    20584608    ----a-r-    c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2014-04-23 22:01    1825984    ----a-w-    c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-21 03:30    5625624    ----a-w-    c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-02-07 04:47    295072    ----a-w-    c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvncontrol]
2012-01-27 15:47    828944    ----a-w-    c:\program files\Common Files\Comodo\tvnserver.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2011-08-28 01:43    5402115    ----a-w-    c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2012-06-28 15:40    74752    ----a-w-    c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Giraffic"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"SwitchBoard"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"BBSvc"=3 (0x3)
"ComputerUpdater Service"=2 (0x2)
"Steam Client Service"=3 (0x3)
"rpcapd"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"HssTrayService"=3 (0x3)
"hshld"=2 (0x2)
"YahooAUService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"AVP"=2 (0x2)
"MBAMService"=2 (0x2)
"HssWd"=2 (0x2)
"HssSrv"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"WRConsumerService"=2 (0x2)
"ThreatFire"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"Secunia PSI Agent"=2 (0x2)
"wlidsvc"=3 (0x3)
"tvnserver"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"RealNetworks Downloader Resolver Service"=2 (0x2)
"McComponentHostService"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"HiPatchService"=2 (0x2)
"MBAMScheduler"=2 (0x2)
"RoyalRoadsvn"=3 (0x3)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\half-life\\hl.exe"=
"c:\\Program Files\\Origin Games\\SimCity\\SimCity\\SimCity.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Dwarfs - F2P\\Dwarfs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Impire\\Impire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Darwinia\\darwinia.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\towns\\Towns.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2 Deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Fallout New Vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\KillingFloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Terraria\\Terraria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Age2HD\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Shadowrun Returns\\Shadowrun.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\TheBridge\\The Bridge.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\War For The Overworld\\WFTO.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Prison Architect\\Prison Architect.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Sid Meier's Civilization V\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\CraftTheWorld\\CraftWorld.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\7 Days To Die\\7DaysToDie.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Banished\\Application-steam-x32.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 1 Source Deathmatch\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Godus\\windows\\godus.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\The Wolf Among Us\\TheWolfAmongUs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Agarest Zero\\AgarestZero.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Orcs Must Die 2\\build\\release\\OrcsMustDie2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SourceSDK\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SirYouAreBeingHunted\\x86\\sir.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dont_starve\\bin\\dontstarve_steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Skyrim\\SkyrimLauncher.exe"=
"c:\\Documents and Settings\\DarkD\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9909:TCP"= 9909:TCP:aiwmu
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [03/08/2012 9:23 AM 36112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [23/05/2013 1:11 PM 119056]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [08/03/2013 4:19 PM 21992]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 10:07 AM 35088]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [25/02/2014 5:58 PM 14976]
S0 mv61xx;mv61xx; [x]
S0 TfFsMon;TfFsMon; [x]
S0 TFSysMon;TfSysMon; [x]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/06/2011 10:08 PM 1691480]
S3 EagleXNt;EagleXNt; [x]
S3 TfNetMon;TfNetMon; [x]
S3 XDva401;XDva401; [x]
S4 CLPSLauncher;COMODO LPS Launcher;c:\program files\Common Files\Comodo\launcher_service.exe [23/08/2012 9:17 AM 70352]
S4 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [11/03/2012 8:13 PM 18056]
S4 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [11/03/2012 8:13 PM 494968]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [01/07/2012 3:50 PM 8704]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [29/11/2012 9:31 PM 38608]
S4 RoyalRoadsvn;RoyalRoadsvn; [x]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [23/10/2013 8:15 AM 172192]
S4 tvnserver;TightVNC Server;c:\program files\Common Files\Comodo\tvnserver.exe [27/01/2012 8:47 AM 828944]
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 19:53]
.
2014-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004Core.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004UA.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-19 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: &Translate with ATLAS
IE: ATLAS Translation &Editor
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 64.59.144.93 64.59.150.139 192.168.1.1
TCP: Interfaces\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{246714F9-8354-4DF5-843B-CED9AB49A4B5}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{56F40D90-9CC8-4793-8A76-78E6DD342542}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{B2858738-7738-48EE-B64C-F3C92D31F324}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{D40F1268-03A4-4685-A455-B232ED465FAE}: NameServer = 208.69.150.252,208.69.150.250
FF - ProfilePath - c:\documents and settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Messenger (Yahoo!) - c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
AddRemove-Yahoo! Messenger - c:\progra~1\Yahoo!\MESSEN~1\UNWISE.EXE
AddRemove-{95716cce-fc71-413f-8ad5-56c2892d4b3a} - c:\documents and settings\All Users\Application Data\Package Cache\{95716cce-fc71-413f-8ad5-56c2892d4b3a}\vcredist_x86.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-19 12:40
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_182_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3588)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2014-05-19  12:45:58 - machine was rebooted
ComboFix-quarantined-files.txt  2014-05-19 19:45
ComboFix2.txt  2014-05-13 07:34
.
Pre-Run: 40,237,293,568 bytes free
Post-Run: 40,226,500,608 bytes free
.
- - End Of File - - 690665B273B55A77EDF9ED62E43596F4
FA4B270ECF84BA2B87843C741EBB5D1F
 



#11 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 19 May 2014 - 04:59 PM

Hi DarkD

 

Give your machine a run for a couple of days and let me know if the issue still persists before I give you additional instructions.


“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#12 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 19 May 2014 - 08:56 PM

I think you fixed the core problem, but there's still another redirect I think.  

 

http://lp.sharelive.net/?appid=1572&lpid=3518

 

Although I feel much better about this redirect than the others.  If this is malware, then I'm guessing its from those crazy vlc player entries in the log.  Should I be concerned about this? 

 

EDIT

 

I am starting to doubt that it was a redirect, it was probably just a pop-up.  It took over a tab and I have a terrible short term memory so I couldn't tell whether it opened a new tab or redirected me.  I couldn't click back so who knows...


Edited by DarkD, 20 May 2014 - 01:10 AM.


#13 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 20 May 2014 - 04:02 PM

Hi DarkD
 
Do you know why your TCP/IP settings include San Fran IP DNS assignments associated with this company:
 

Prana Systems, LLC.
271 Cumberland St.
Suite #2
San Francisco, CA 94114
UNITED STATES

 
 
Delete ComboFix from your system and Download ComboFix from one of the following locations:
 
 

  • LINK 1
  • LINK 2
    **IMPORTANT! Save ComboFix to your Desktop. Read the following thoroughly
     
  • Close any open browsers.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on 'ComboFix.exe' & follow the prompts.
  • If ComboFix finds any Updates, Please allow ComboFix to run them.


    FOR WINDOWS XP COMPUTERS ONLY

    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    Click on 'Yes', to continue scanning for malware.
     
  • ComboFix will now disconnect your computer from the Internet and start scanning for Malware so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection. please be patient.
  • When the scan finished, it will delete the malware found and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.
  • Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered.
  • If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

    Please include the contents of C:\ComboFix.txt and C:\QooBox\Add-Remove Programs.txt in your next reply.

    Please Enable your Anti-virus Software again !!

    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
    3. ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
    4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png


#14 DarkD

DarkD
  • Topic Starter

  • Members
  • 69 posts
  • OFFLINE
  •  
  • Local time:11:22 AM

Posted 21 May 2014 - 12:26 AM

It may be because I had hotspot shield installed on my computer for a time.  I have long since deleted that and as many components of it as I could find, but when I look at the logs here I can still see remnants of it floating around.  Anything with the letter combination "hss" is probably from that.  It is a program that loads a crap tonne of adware onto your pc.  
 
ComboFix 14-05-19.01 - DarkD 20/05/2014  21:55:39.5.4 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.2.1033.18.3327.2626 [GMT -7:00]
Running from: c:\documents and settings\DarkD\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Microsoft Corporation\Microsoft® Windows® Operating System
.
.
(((((((((((((((((((((((((   Files Created from 2014-04-21 to 2014-05-21  )))))))))))))))))))))))))))))))
.
.
2014-05-19 23:20 . 1999-05-29 08:08 45568 ----a-w- c:\windows\UniFish3.exe
2014-05-19 23:18 . 2014-05-19 23:18 -------- d-----w- c:\program files\Hasbro Interactive
2014-05-19 20:15 . 2014-05-19 20:15 -------- d-----w- c:\documents and settings\DarkD\Application Data\AVAST Software
2014-05-19 20:13 . 2014-05-19 20:13 57672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2014-05-19 20:13 . 2014-05-19 20:13 180632 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-05-19 20:13 . 2014-05-19 20:14 777488 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-05-19 20:13 . 2014-05-19 20:14 411680 ----a-w- c:\windows\system32\drivers\aswsp.sys
2014-05-19 20:13 . 2014-05-19 20:13 49944 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-05-19 20:13 . 2014-05-19 20:13 67824 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2014-05-19 20:13 . 2014-05-19 20:13 24184 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-05-19 20:13 . 2014-05-19 20:14 54832 ----a-w- c:\windows\system32\drivers\aswrdr.sys
2014-05-19 20:13 . 2014-05-19 20:13 271264 ----a-w- c:\windows\system32\aswBoot.exe
2014-05-19 20:13 . 2014-05-19 20:13 43152 ----a-w- c:\windows\avastSS.scr
2014-05-19 20:08 . 2014-05-19 20:08 -------- d-----w- c:\program files\AVAST Software
2014-05-18 21:17 . 2014-05-18 21:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2014-05-18 06:05 . 2014-05-18 05:43 24064 ----a-w- c:\windows\zoek-delete.exe
2014-05-18 05:43 . 2014-05-18 05:56 -------- d-----w- C:\zoek_backup
2014-05-17 04:48 . 2002-12-05 21:10 155648 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iuser.dll
2014-05-17 04:48 . 2002-12-02 20:33 237568 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iscript.dll
2014-05-17 04:48 . 2014-05-17 04:48 163972 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iGdi.dll
2014-05-17 04:48 . 2005-03-24 12:18 692224 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\iKernel.dll
2014-05-17 04:48 . 2002-12-02 22:22 5632 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\DotNetInstaller.exe
2014-05-17 04:48 . 2002-12-02 20:33 57344 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll
2014-05-17 04:48 . 2014-05-17 04:48 282756 ----a-w- c:\program files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\setup.dll
2014-05-14 09:50 . 2014-05-14 09:52 -------- d-----w- C:\FRST
2014-05-13 00:31 . 2014-05-13 00:31 -------- d-----w- c:\documents and settings\DarkD\Local Settings\Application Data\Norman Malware Cleaner
2014-05-12 22:56 . 2014-05-12 22:56 -------- d-----w- c:\program files\Trend Micro
2014-05-10 08:21 . 2014-05-07 02:26 965232 ----a-w- c:\program files\Mozilla Firefox\icuuc52.dll
2014-05-10 08:21 . 2014-05-07 02:26 1266800 ----a-w- c:\program files\Mozilla Firefox\icuin52.dll
2014-05-10 08:21 . 2014-05-07 02:26 10594416 ----a-w- c:\program files\Mozilla Firefox\icudt52.dll
2014-05-09 03:35 . 2014-05-09 03:35 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2014-05-09 03:35 . 2014-04-03 16:51 50648 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-08 02:08 . 2014-05-08 02:08 -------- d-----w- c:\program files\ESET
2014-05-08 02:00 . 2014-05-08 02:00 -------- d-----w- c:\windows\ERUNT
2014-05-08 01:37 . 2010-08-30 15:34 536576 ----a-w- c:\windows\system32\sqlite3.dll
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-05-20 21:09 . 2012-04-30 15:57 692400 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2014-05-20 21:09 . 2011-06-16 17:06 70832 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2014-05-20 10:19 . 2013-12-21 09:51 107736 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2014-05-19 20:13 . 2014-05-19 20:13 776976 ----a-w- c:\windows\system32\drivers\aswsnx.sys.1400530472968
2014-05-19 20:13 . 2014-05-19 20:13 411552 ----a-w- c:\windows\system32\drivers\aswsp.sys.1400530472968
2014-05-19 20:13 . 2014-05-19 20:13 54832 ----a-w- c:\windows\system32\drivers\aswrdr.sys.1400530472968
2014-04-03 16:50 . 2013-03-17 09:39 23256 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-02-26 01:59 . 2014-03-25 05:28 13312 ------w- c:\windows\system32\xp_eos.exe
2014-02-24 11:46 . 2003-03-31 12:00 920064 ----a-w- c:\windows\system32\wininet.dll
2014-02-24 11:45 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2014-02-24 11:45 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2014-02-24 11:45 . 2003-03-31 12:00 18944 ----a-w- c:\windows\system32\corpol.dll
2014-02-24 10:54 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-05-19 20:13 260976 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"uTorrent"="c:\documents and settings\DarkD\My Documents\Downloads\uTorrent.exe" [2014-05-20 1669456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2014-05-19 3873704]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\DarkD\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2014-2-23 36024]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2013-05-07 115440]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete\0bootdelete\0aswBoot.exe /M:11cb064416 /dir:C:\Program
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^IP Phone Center.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\IP Phone Center.lnk
backup=c:\windows\pss\IP Phone Center.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Secunia PSI Tray.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Secunia PSI Tray.lnk
backup=c:\windows\pss\Secunia PSI Tray.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Start livePCsupport Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Start livePCsupport Client.lnk
backup=c:\windows\pss\Start livePCsupport Client.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DarkD^Start Menu^Programs^Startup^OpenOffice.org 3.3.lnk]
path=c:\documents and settings\DarkD\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk
backup=c:\windows\pss\OpenOffice.org 3.3.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-11-21 16:57 959904 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0]
2010-03-06 10:44 500208 ----a-w- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-11-04 00:13 64104 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
2008-04-14 00:12 110592 ----a-w- c:\windows\system32\bthprops.cpl
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXMediaServer]
2013-05-20 02:37 450560 ----a-w- c:\program files\DivX\DivX Media Server\DivXMediaServer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2013-02-13 02:37 1263952 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DWQueuedReporting]
2011-07-27 11:13 434080 ----a-w- c:\progra~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-16 04:04 136176 ----atw- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2003-03-31 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 22:44 61440 ----a-w- c:\hp\KBD\kbd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LifeChat]
2008-08-21 17:16 267296 ----a-w- c:\program files\Microsoft LifeChat\LifeChat.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2003-03-31 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2012-12-01 04:53 15524712 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2012-12-01 04:53 108392 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2012-12-03 15:40 1982312 ----a-w- c:\program files\NVIDIA Corporation\nView\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2003-03-31 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2003-03-31 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pidgin]
2012-07-05 13:24 49321 ----a-w- c:\program files\Pidgin\pidgin.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2012-08-06 22:37 20117136 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2013-11-14 23:42 20584608 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2014-04-23 22:01 1825984 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2014-01-21 03:30 5625624 ----a-w- c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2013-02-07 04:47 295072 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vidalia]
2011-08-28 01:43 5402115 ----a-w- c:\program files\Vidalia Bundle\Vidalia\vidalia.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2012-06-28 15:40 74752 ----a-w- c:\program files\Winamp\winampa.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Giraffic"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"SwitchBoard"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"idsvc"=3 (0x3)
"BBSvc"=3 (0x3)
"ComputerUpdater Service"=2 (0x2)
"Steam Client Service"=3 (0x3)
"rpcapd"=3 (0x3)
"NetTcpPortSharing"=2 (0x2)
"HssTrayService"=3 (0x3)
"hshld"=2 (0x2)
"YahooAUService"=2 (0x2)
"Browser Defender Update Service"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"AVP"=2 (0x2)
"MBAMService"=2 (0x2)
"HssWd"=2 (0x2)
"HssSrv"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"WRConsumerService"=2 (0x2)
"ThreatFire"=3 (0x3)
"Secunia Update Agent"=2 (0x2)
"Secunia PSI Agent"=2 (0x2)
"wlidsvc"=3 (0x3)
"tvnserver"=2 (0x2)
"SkypeUpdate"=2 (0x2)
"RealNetworks Downloader Resolver Service"=2 (0x2)
"McComponentHostService"=3 (0x3)
"gupdatem"=3 (0x3)
"gupdate"=2 (0x2)
"HiPatchService"=2 (0x2)
"MBAMScheduler"=2 (0x2)
"RoyalRoadsvn"=3 (0x3)
"wampmysqld"=3 (0x3)
"wampapache"=3 (0x3)
"MozillaMaintenance"=3 (0x3)
"IDriverT"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\synergy dedicated server\\srcds.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\half-life\\hl.exe"=
"c:\\Program Files\\Origin Games\\SimCity\\SimCity\\SimCity.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Dwarfs - F2P\\Dwarfs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Impire\\Impire.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Darwinia\\darwinia.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\towns\\Towns.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2 Deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Counter-Strike Source\\hl2.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Fallout New Vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\KillingFloor\\System\\KillingFloor.exe"=
"c:\\Program Files\\Steam\\steamapps\\colbylast@shaw.ca\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Terraria\\Terraria.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Age2HD\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Shadowrun Returns\\Shadowrun.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\TheBridge\\The Bridge.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\War For The Overworld\\WFTO.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Prison Architect\\Prison Architect.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Sid Meier's Civilization V\\Launcher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\CraftTheWorld\\CraftWorld.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\7 Days To Die\\7DaysToDie.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Banished\\Application-steam-x32.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life\\hl.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Half-Life 1 Source Deathmatch\\hl2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Godus\\windows\\godus.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\The Wolf Among Us\\TheWolfAmongUs.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Agarest Zero\\AgarestZero.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Orcs Must Die 2\\build\\release\\OrcsMustDie2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Source SDK Base\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SourceSDK\\bin\\SDKLauncher.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\SirYouAreBeingHunted\\x86\\sir.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\dont_starve\\bin\\dontstarve_steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\common\\Skyrim\\SkyrimLauncher.exe"=
"c:\\Documents and Settings\\DarkD\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9909:TCP"= 9909:TCP:aiwmu
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswVmm.sys [19/05/2014 1:13 PM 180632]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswsnx.sys [19/05/2014 1:13 PM 777488]
R1 CFRMD;CFRMD;c:\windows\system32\drivers\CFRMD.sys [03/08/2012 9:23 AM 36112]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [23/05/2013 1:11 PM 119056]
R2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [19/05/2014 1:13 PM 24184]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [19/05/2014 1:13 PM 67824]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [08/03/2013 4:19 PM 21992]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [25/06/2010 10:07 AM 35088]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [25/02/2014 5:58 PM 14976]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [19/05/2014 1:13 PM 49944]
S0 mv61xx;mv61xx; [x]
S0 TfFsMon;TfFsMon; [x]
S0 TFSysMon;TfSysMon; [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswsp.sys [19/05/2014 1:13 PM 411680]
S2 {09BB444F-B2E2-4009-BAF2-7B727681223E};BuddyVM;\??\c:\program files\VMLaunch\BuddyVM.sys --> c:\program files\VMLaunch\BuddyVM.sys [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [15/06/2011 10:08 PM 1691480]
S3 EagleXNt;EagleXNt; [x]
S3 TfNetMon;TfNetMon; [x]
S3 XDva401;XDva401; [x]
S4 CLPSLauncher;COMODO LPS Launcher;"c:\program files\Common Files\Comodo\launcher_service.exe" --> c:\program files\Common Files\Comodo\launcher_service.exe [?]
S4 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\DRIVERS\cmderd.sys --> c:\windows\system32\DRIVERS\cmderd.sys [?]
S4 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys --> c:\windows\system32\DRIVERS\cmdguard.sys [?]
S4 HiPatchService;Hi-Rez Studios Authenticate and Update Service;c:\program files\Hi-Rez Studios\HiPatchService.exe [01/07/2012 3:50 PM 8704]
S4 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [29/11/2012 9:31 PM 38608]
S4 RoyalRoadsvn;RoyalRoadsvn; [x]
S4 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [23/10/2013 8:15 AM 172192]
S4 tvnserver;TightVNC Server;"c:\program files\Common Files\Comodo\tvnserver.exe" -service --> c:\program files\Common Files\Comodo\tvnserver.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - APXKFTCS
*NewlyCreated* - ASWHWID
*NewlyCreated* - ASWMONFLT
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSNX
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWVMM
*NewlyCreated* - AVAST!_ANTIVIRUS
.
Contents of the 'Scheduled Tasks' folder
.
2014-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-30 21:09]
.
2014-05-20 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2014-05-19 20:13]
.
2014-05-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004Core.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1417001333-776561741-725345543-1004UA.job
- c:\documents and settings\DarkD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-16 04:04]
.
2014-05-19 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
2014-05-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-25 01:59]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: &Translate with ATLAS
IE: ATLAS Translation &Editor
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 64.59.144.93 64.59.150.139 192.168.1.1
TCP: Interfaces\{0CA6ECB1-39A3-41A4-80C3-A1C65520ABE8}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{246714F9-8354-4DF5-843B-CED9AB49A4B5}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{56F40D90-9CC8-4793-8A76-78E6DD342542}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{B2858738-7738-48EE-B64C-F3C92D31F324}: NameServer = 208.69.150.252,208.69.150.250
TCP: Interfaces\{D40F1268-03A4-4685-A455-B232ED465FAE}: NameServer = 208.69.150.252,208.69.150.250
FF - ProfilePath - c:\documents and settings\DarkD\Application Data\Mozilla\Firefox\Profiles\solfoden.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:home
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-tvncontrol - c:\program files\Common Files\Comodo\tvnserver.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2014-05-20 22:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\windows\\system32\\Macromed\\Flash\\FlashUtil32_13_0_0_214_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*]
@="?????????????????? v1"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*1*\CLSID]
@="{E23FE9C6-778E-49D4-B537-38FCDE4887D8}"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*]
@="?????????????????? v2"
.
[HKEY_LOCAL_MACHINE\software\Classes\VideoLAN.VLCPlugin.*2*\CLSID]
@="{9BE31822-FDAD-461B-AD51-BE1D1C159921}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2108)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2014-05-20  22:11:20
ComboFix-quarantined-files.txt  2014-05-21 05:11
ComboFix2.txt  2014-05-19 19:45
ComboFix3.txt  2014-05-13 07:34
.
Pre-Run: 39,351,296,000 bytes free
Post-Run: 39,393,079,296 bytes free
.
- - End Of File - - DCD461470D6C2DDC2FEDB81C654511E1
FA4B270ECF84BA2B87843C741EBB5D1F
 
_inmm.dll 2.38
7-Zip 9.22beta
7 Days to Die
Adobe Community Help
Adobe Flash Player 13 ActiveX
Adobe Flash Player 13 Plugin
Adobe Media Player
Adobe Reader X (10.1.9)
Agarest Zero
Age of Empires II: HD Edition
Age of Empires III
aMSN 0.98.4
Apache Tomcat 7.0.34
Atheros Communications Inc.® AR81Family Gigabit/Fast Ethernet Driver
µTorrent
avast! Free Antivirus
AVS Update Manager 1.0
AVS Video Converter 8
AVS4YOU Software Navigator 1.4
Banished
Battle.net
CamStudio
CDex - Open Source Digital Audio CD Extractor
CDisplay 1.8
Cisco Connect
Command & Conquer Red Alert 2
CompuApps SwissKnife V3
Counter-Strike: Source
CPUID CPU-Z 1.63.0
Craft The World
Darwinia
Dedicated Server
Dia (remove only)
Diablo
DivX Setup
Don't Starve
DubIt
Dune 2000
Dungeon Keeper 2
Dwarfs F2P
DwimPerl version 0.07
EditPlus 3
Enhanced Multimedia Keyboard Solution
Fallout: New Vegas
Garry's Mod
GlassFish Server Open Source Edition 3.1.2.2
Godus
GOM Player
Google Chrome
Google Update Helper
Half-Life
Half-Life 2
Half-Life 2: Episode One
Half-Life 2: Episode Two
Half-Life Dedicated Server Update Tool
Hi-Rez Studios Authenticate and Update Service
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB981793)
ImgBurn
Impire
InfraRecorder
IsoBuster 3.2
Itibiti RTC
JDownloader 0.9
Killing Floor
Malwarebytes Anti-Malware version 2.0.1.1004
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Age of Empires II
Microsoft Application Compatibility Toolkit 5.6
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Chart Controls for Microsoft .NET Framework 3.5 (KB2500170)
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Games for Windows - LIVE Redistributable
Microsoft Games for Windows Marketplace
Microsoft LifeChat
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.60610
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.60610
Microsoft Visual Studio 2010 Tools for Office Runtime (x86)
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0 Refresh
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MinGW-Get version 0.5-beta-20120426-1
Mozilla Firefox 29.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 4.0 SP3 Parser
MSXML 4.0 SP3 Parser (KB2758694)
MSXML4 Parser
NetBeans IDE 7.3
Notepad++
NVIDIA Control Panel 310.70
NVIDIA Graphics Driver 310.70
NVIDIA Install Application
NVIDIA nView 136.53
NVIDIA nView Desktop Manager
NVIDIA PhysX
NVIDIA PhysX System Software 9.12.1031
NVIDIA Update 1.11.3
NVIDIA Update Components
OpenOffice.org 3.3
Opera 12.13
Orcs Must Die! 2
Origin
Paint.NET v3.5.10
Perfect Uninstaller v6.3.3.9
Pharaoh Gold Bundle
Pidgin
Polipo 1.0.4.1
Prison Architect
RaidCall
Rainmeter
RealDownloader
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealNetworks - Microsoft Visual C++ 2010 Runtime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
RealUpgrade 1.1
Revo Uninstaller 1.95
Roll
Rome - Total War™
Rome Total War - patch 1.3
Security Task Manager 1.8f
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2840629)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2861697)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2729449)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2736428)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2737019)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2742595)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2789642)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2804576)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2832407)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2835393)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2840628v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2861188)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2898855v2)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2901110v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2736428)
Security Update for Microsoft .NET Framework 4 Extended (KB2742595)
Security Update for Microsoft .NET Framework 4 Extended (KB2858302v2)
Security Update for Microsoft .NET Framework 4 Extended (KB2901110v2)
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597973) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687439) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760411) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760415) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2817641) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2827326) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2837615) 32-Bit Edition 
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition 
Security Update for Microsoft Office Excel 2007 (KB2827324) 32-Bit Edition 
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition 
Security Update for Microsoft Office Outlook 2007 (KB2825644) 32-Bit Edition 
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2597971) 32-Bit Edition 
Security Update for Microsoft Office Word 2007 (KB2837617) 32-Bit Edition 
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2846071)
Security Update for Windows Internet Explorer 8 (KB2862772)
Security Update for Windows Internet Explorer 8 (KB2909210)
Security Update for Windows Internet Explorer 8 (KB2925418)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB2834904-v2)
Security Update for Windows Media Player (KB2834904)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB2813345)
Security Update for Windows XP (KB2820197)
Security Update for Windows XP (KB2820917)
Security Update for Windows XP (KB2834886)
Security Update for Windows XP (KB2839229)
Security Update for Windows XP (KB2845187)
Security Update for Windows XP (KB2847311)
Security Update for Windows XP (KB2849470)
Security Update for Windows XP (KB2850851)
Security Update for Windows XP (KB2850869)
Security Update for Windows XP (KB2859537)
Security Update for Windows XP (KB2862152)
Security Update for Windows XP (KB2862330)
Security Update for Windows XP (KB2862335)
Security Update for Windows XP (KB2864063)
Security Update for Windows XP (KB2868038)
Security Update for Windows XP (KB2868626)
Security Update for Windows XP (KB2876217)
Security Update for Windows XP (KB2876331)
Security Update for Windows XP (KB2892075)
Security Update for Windows XP (KB2893294)
Security Update for Windows XP (KB2898715)
Security Update for Windows XP (KB2900986)
Security Update for Windows XP (KB2914368)
Security Update for Windows XP (KB2916036)
Security Update for Windows XP (KB2929961)
Security Update for Windows XP (KB2930275)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Segoe UI
Seven Kingdoms II
Shadowrun Returns
Sid Meier's Civilization 4
Sid Meier's Civilization V
Sierra Utilities
SimCity 3000
SimCity™
Sir, You Are Being Hunted
Skype™ 6.11
Source SDK
Source SDK Base 2006
Source SDK Base 2007
Steam
SUPERAntiSpyware
System Requirements Lab CYRI
Team Fortress Classic
Terraria
The Bridge 
The Elder Scrolls V: Skyrim
The Wolf Among Us
Theme Hospital
Tor 0.2.2.33
Towns
Ubisoft Game Launcher
Unlocker 1.9.2
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Client Profile (KB2836939v3)
Update for Microsoft .NET Framework 4 Extended (KB2836939v3)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767849) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2687404) 32-Bit Edition
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB2878234) 32-Bit Edition
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB2863058)
Update for Windows XP (KB2904266)
Update for Windows XP (KB2934207)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.6195
Vidalia 0.2.14
Vim 7.3 (self-installing)
VLC media player 2.0.5
VS v6.0
VTFEdit 1.2.5
WampServer 2.4
War for the Overworld Bedrock Beta
WebFldrs XP
Westwood Shared Internet Components
Winamp
Winamp Detector Plug-in
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live ID Sign-in Assistant
Windows Live Messenger
Windows Live Upload Tool
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3
WinPcap 4.1.2
WinRAR 5.01 (32-bit)
WinZip 15.5
Wireshark 1.6.13 (32-bit)
Zeus & Poseidon
 

Edited by DarkD, 21 May 2014 - 03:13 AM.


#15 seedy21

seedy21

  • Malware Response Team
  • 742 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Yorkshire, UK
  • Local time:07:22 PM

Posted 21 May 2014 - 04:27 PM

Hi DarkD

There is two thing's i have to point out before we continue....
Combofix needs to be installed on the Desktop to run correctly. Please move Combofix from your Downloads folder to your Desktop.

Second problem

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


Please follow the following instructions to get combofix to install this.

Double click on 'ComboFix.exe' & follow the prompts.
If ComboFix finds any Updates, Please allow ComboFix to run them.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

  • At the next prompt, click No  and start Step 2

    RC_whatnext.gif
     
    If Combofix was unable to install Recovery Console follow these instructions

    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System

    kb310994kh8.gif

    Download the file  & save it as it's originally named, next to ComboFix.exe.

    Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

     
  • Drag the setup package onto ComboFix.exe and drop it.

    RC1-4.gif

     
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click No

    RC_whatnext.gif



    This is a safe guard we hope we never need.... but it's best to be safe than sorry
  • .

    Step 2

    Please open Notepad (Through Start Menu -> Accessories -> Notepad) and copy/paste this code into notepad, exactly as it is: (DON'T include the 'Quote:')

    KILLALL::

    Driver::
    CFRMD
    TfFsMon
    TfSysMon
    TfNetMon
    BuddyVM
    CLPSLauncher
    cmderd
    cmdGuard
    tvnserver
    RoyalRoadsvn

    File::
    c:\windows\ALCMTR.EXE
    c:\windows\system32\drivers\CFRMD.sys
    c:\windows\system32\drivers\TfFsMon.sys
    c:\windows\system32\drivers\TfSysMon.sys
    c:\windows\system32\drivers\TfNetMon.sys
    c:\windows\system32\DRIVERS\cmderd.sys
    c:\windows\system32\DRIVERS\cmdguard.sys
    c:\program files\VMLaunch\BuddyVM.sys
    c:\windows\UniFish3.exe

    Folder::
    C:\Program Files\Hotspot Shield
    C:\Program Files\Common Files\Comodo

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "ThreatFire"=-
    "hshld"=-
    "HssWd"=-
    "HssSrv"=-
    "tvnserver"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "9909:TCP"=-

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]

    Reboot::

    JavaClearCache::


    Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Make sure your Anti-Virus is disabled while we do this. You can disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, please read this.

    CFScriptB-4.gif

    Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

    ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

    When the scan finished, it will execute the script and reboot your computer automatically. Don't reboot your computer manually, let ComboFix do it.

    Once your computer is rebooted, ComboFix will start preparing a log. Please let it do so unhindered. After a few minutes, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

“It's only after we've lost everything that we're free to do anything.”
― Chuck Palahniuk, Fight Club

unite_blue.png





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users