Jump to content

Epsynus

Members
  • Posts

    29
  • Joined

  • Last visited

Reputation

0 Neutral

About Epsynus

  • Birthday 10/18/1992

Contact Methods

  • MSN
    Ask :3
  • Website URL
    http://
  • ICQ
    0

Profile Information

  • Location
    Sweden
  • Interests
    Computers and my friends ^^
  1. Ok i understand. the only problem is that i cannot edit my post :/ but thanks for the info @exile360 Thank you for the info i will backup the registry & make a system restore point and try them out and see what happens
  2. Hello i have collected a bunch of tweaks of the web & friends. but my question is, Are they safe to use or will they freak out my computer?. here is the list. http ProxyHttp1.1=1 SyncMode5=4 MaxConnectionsPerServer=6 MaxConnectionsPer1_0Server=6 TcpIp TcpWindowSize=700800 DeafultTTL=64 EnablePMTUDiscovery=1 EnablePMTUBHDetect=1 TcpMaxDupAcks=2 Tcp1323Opts=1 SackOpts=1 MTU=1500 DNS MaxCacheTtl=14400 MaxNegativeCacheTtl=10 NetFaliureCacheTime=0 NegativeSOACacheTime=3 AFD FastSendDatagramThreshold=1500 FastCopyReciveThreshold=1500 Firefox ui.submenuDelay=50 content.interrupt.parsing=true content.max.tokenizing.time=3000000 content.maxtextrun=8191 content.notify.backoffcount=5 content.notify.interval=750000 content.notify.ontimer=true content.switch.threshold=750000 nglayout.initialpaint.delay=500 network.http.max-connections=32 network.http.max-connections-per-server=6 network.http.max-persistent-connections-per-server=4 network.http.pipelining=true network.http.pipelining.maxrequests=8 Now i don't understand where to put a few and what a few of those names mean but ill figure that out later. right now i just want an answer if they are safe to use? (Use them on your own risk, since i don't know if they are safe yet.)
  3. OK ill read up on those posts Thank you for the help it speeded up my system a lot ^^ and the Memory hugging problem solved itself when i had restarted the system a few times
  4. couldn't edit the post. IGNORE the " and the process system takes 80-99% CPU the whole time! " part it went down when the GMER scan was done!
  5. Yes the programs don't hang as often but take long time to start. and i notice an slowdown in general now instead. though something that bothers me now is that alg.exe takes 33 980 K memory explorer.exe takes 61 016 K memory svchost.exe 59 364 K memory svchost.exe 35 444 K memory svchost.exe 34 292 K memory when before the last fix they took alg.exe unsure just know it was NOT that high explorer.exe 20 364 K memory svchost.exe 5 000 K memory svchost.exe 10 000 K memory svchost.exe 15 000 K memory and the process system takes 80-99% CPU the whole time! (204 K memory usage before it was 25 K) extra text: just noticed that ALL windows processes has started to take up more Memory since the fix is this normal? :S GMER.zip GMER.zip
  6. combofix ComboFix 09-08-10.04 - Administrator 2009-08-11 9:55.2.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.1023.672 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Administrator\Desktop\CFscript.txt AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} * Created a new restore point FILE :: "c:\docume~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys" "c:\documents and settings\Administrator\Desktop\koybmqk1.exe" "c:\windows\spjv.sys" "c:\windows\system32\drivers\adn8wzoh.SYS" "c:\windows\System32\Drivers\asw5vr9z.SYS" "c:\windows\system32\Drivers\mchInjDrv.sys" "c:\windows\system32\drivers\spjv.sys" "c:\windows\System32\Drivers\sptd.sys" "c:\windows\system32\spjv.sys" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\Desktop\koybmqk1.exe c:\windows\System32\Drivers\sptd.sys . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_SPTD -------\Service_sptd ((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 ))))))))))))))))))))))))))))))) . 2009-08-08 13:46 . 2009-08-08 13:46 152576 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\jre1.6.0_15\lzma.dll 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\wbem\snmp 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\xircom 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\program files\microsoft frontpage 2009-08-07 18:07 . 2009-08-07 18:07 -------- d-----w- c:\program files\Gravity 2009-08-07 12:39 . 2009-08-07 12:39 -------- d-----w- c:\program files\Audacity 2009-08-05 14:05 . 2009-08-07 22:09 -------- d-----w- c:\program files\Diablo II 2009-08-04 13:46 . 2009-08-04 14:39 -------- d-----w- C:\Unreal2 2009-08-04 13:37 . 2009-08-04 13:37 -------- d--h--w- c:\windows\PIF 2009-08-02 15:47 . 2009-08-06 14:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-08-02 15:43 . 2009-08-02 15:55 -------- d-----w- c:\program files\Opera 2009-08-02 15:33 . 2009-08-02 15:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp 2009-08-02 15:33 . 2009-08-02 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google 2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\program files\NOS 2009-07-28 16:00 . 2009-07-28 16:00 -------- d-----w- C:\Sandbox 2009-07-28 16:00 . 2009-08-04 15:19 -------- d-----w- c:\program files\Sandboxie 2009-07-28 11:53 . 2009-07-28 12:22 -------- d-----w- c:\program files\rise 2009-07-28 11:52 . 2009-07-28 11:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield 2009-07-27 21:21 . 2009-07-28 09:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games 2009-07-27 20:51 . 2009-07-27 20:52 -------- d-----w- c:\program files\Hamachi 2009-07-25 09:53 . 2009-07-25 09:56 -------- d-----w- C:\Oplex 2009-07-24 09:58 . 2009-07-24 09:58 -------- d-----w- c:\program files\Defraggler 2009-07-23 19:51 . 2009-08-11 08:37 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CurseClient 2009-07-23 19:51 . 2009-07-23 19:51 -------- d-----w- c:\program files\Curse . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-11 09:06 . 2009-05-07 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-10 20:50 . 2009-05-07 14:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2009-08-10 20:12 . 2009-07-12 10:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp 2009-08-08 13:47 . 2009-05-07 08:50 -------- d-----w- c:\program files\Java 2009-08-08 11:36 . 2009-06-06 15:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hamachi 2009-08-08 08:16 . 2009-07-10 12:20 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus 2009-08-07 18:06 . 2009-05-07 15:58 65536 -c--a-w- c:\windows\IFinst27.exe 2009-08-06 14:50 . 2009-08-02 15:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-08-05 14:08 . 2009-05-08 18:18 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2009-08-05 12:15 . 2009-05-06 20:21 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-04 13:46 . 2009-05-07 07:39 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-04 13:23 . 2009-05-14 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2009-08-03 21:29 . 2009-05-07 09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-03 21:28 . 2009-05-26 19:56 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-03 12:36 . 2009-05-07 09:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 12:36 . 2009-05-07 09:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-03 10:27 . 2009-06-17 23:00 -------- d-----w- c:\program files\Common Files\GTK 2009-08-02 16:01 . 2009-05-11 10:18 -------- d-----w- c:\program files\osu! 2009-08-02 15:12 . 2009-05-09 00:05 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2009-08-02 14:56 . 2009-05-07 10:51 -------- d-----w- c:\program files\SpywareBlaster 2009-07-31 11:52 . 2009-06-25 12:07 -------- d-----w- c:\program files\ThreatFire 2009-07-31 11:52 . 2009-05-07 16:28 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-27 20:51 . 2009-06-06 15:53 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys 2009-07-27 13:16 . 2009-07-09 14:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts 2009-07-25 04:23 . 2009-05-07 08:50 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-07-24 12:42 . 2009-06-01 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify 2009-07-13 07:16 . 2009-06-03 16:59 -------- d-----w- c:\program files\Guild Wars 2009-07-12 10:10 . 2009-07-12 10:10 -------- d-----w- c:\program files\Winamp 2009-07-12 09:26 . 2009-07-11 12:38 -------- d-----w- c:\program files\DivX 2009-07-11 04:59 . 2009-05-07 08:53 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys 2009-07-11 04:17 . 2009-05-07 08:53 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys 2009-07-11 04:17 . 2009-05-07 08:53 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys 2009-07-10 16:14 . 2009-07-10 16:14 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe 2009-07-10 16:14 . 2009-07-10 16:14 -------- d-----w- c:\program files\Microsoft WSE 2009-07-10 14:11 . 2009-07-09 09:42 25 ----a-w- c:\windows\popcinfot.dat 2009-07-10 12:20 . 2009-07-10 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus 2009-07-09 18:58 . 2009-07-09 18:58 -------- d-----w- c:\program files\VideoLAN 2009-07-09 14:48 . 2009-07-09 14:48 -------- d--h--r- c:\documents and settings\Administrator\Application Data\SecuROM 2009-07-09 14:14 . 2009-07-09 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Red Alert 3 2009-07-08 18:41 . 2009-07-08 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-07-08 15:41 . 2009-06-17 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple 2009-07-03 17:09 . 2009-03-16 18:46 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-03 11:54 . 2009-05-07 11:09 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 10:10 . 2009-07-02 09:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\InfraRecorder 2009-07-01 10:18 . 2009-06-18 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-07-01 10:18 . 2009-06-18 12:28 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2009-06-29 14:49 . 2009-06-29 14:48 -------- d-----w- c:\program files\Intel 2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\program files\Avira 2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-06-26 16:43 . 2009-05-07 11:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-25 12:07 . 2009-06-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-06-24 20:30 . 2009-06-24 20:30 -------- d-----w- c:\program files\Alwil Software 2009-06-24 16:39 . 2009-06-24 16:39 -------- d-----w- c:\program files\Secunia 2009-06-23 18:01 . 2009-05-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla 2009-06-23 11:57 . 2009-05-07 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-19 15:06 . 2009-06-19 15:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft 2009-06-19 13:37 . 2009-06-25 12:07 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys 2009-06-19 13:37 . 2009-06-25 12:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys 2009-06-19 13:37 . 2009-06-25 12:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys 2009-06-18 13:17 . 2009-06-18 13:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\TortoiseSVN 2009-06-18 13:00 . 2009-05-06 21:05 35760 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-18 12:48 . 2009-06-18 12:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion 2009-06-18 12:34 . 2009-06-18 12:34 -------- d-----w- c:\program files\Microsoft SQL Server 2009-06-18 12:34 . 2009-06-18 12:34 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll 2009-06-18 12:33 . 2009-06-18 12:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll 2009-06-18 12:23 . 2009-06-18 12:23 -------- d-----w- c:\program files\Microsoft SDKs 2009-06-17 23:05 . 2009-06-17 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0 2009-06-17 17:16 . 2009-06-17 17:16 -------- d-----w- c:\program files\ATI Technologies 2009-06-17 12:20 . 2009-03-24 11:03 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys 2009-06-17 10:51 . 2009-06-17 10:51 720896 ----a-w- c:\windows\iun6002.exe 2009-06-16 14:36 . 2008-04-14 03:42 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2008-04-14 03:41 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-13 21:09 . 2009-06-13 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC 2009-06-06 19:00 . 2009-06-06 19:00 249856 ------w- c:\windows\Setup1.exe 2009-06-06 19:00 . 2009-06-06 19:00 73216 ----a-w- c:\windows\ST6UNST.EXE 2009-06-03 19:09 . 2008-04-14 03:42 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-01 16:07 . 2009-06-01 16:07 46080 ----a-w- c:\windows\system32\cimo.sys 2009-06-01 13:41 . 2009-06-01 13:41 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ------- Sigcheck ------- [-] 2009-03-11 14:31 2003456 A93D1D8A4122F7DEFDD4D0F34CF67213 c:\windows\explorer.exe . ((((((((((((((((((((((((((((( SnapShot@2009-08-08_08.44.42 ))))))))))))))))))))))))))))))))))))))))) . + 2009-08-11 09:05 . 2009-08-11 09:05 16384 c:\windows\temp\Perflib_Perfdata_68c.dat + 2009-08-11 09:04 . 2009-08-11 09:04 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat + 2009-08-08 13:47 . 2009-07-25 04:23 149280 c:\windows\system32\javaws.exe + 2009-08-08 13:47 . 2009-07-25 04:23 145184 c:\windows\system32\javaw.exe + 2009-08-08 13:47 . 2009-07-25 04:23 145184 c:\windows\system32\java.exe + 2009-08-11 09:04 . 2009-08-11 09:04 212992 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat + 2009-08-11 09:04 . 2009-08-11 09:04 315392 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT + 2009-08-11 09:04 . 2009-08-11 09:04 5173248 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2009-07-11 2121416] "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Styler"="c:\program files\ESAP 3\Windows 7 - Styler\Styler.exe" [2007-04-15 307200] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="shell32" [X] "nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoRecentDocsNetHood"= 01000000 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "1"= avnotify.dll "2"= avnotify.exe [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-06-25 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-06-25 46864] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-05-07 200784] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-05-07 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-05-07 29776] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-04-28 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-04-28 72944] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-27 108289] R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-05-07 362184] R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-05-07 3142344] R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-06-25 33552] S3 cimo;cimo;c:\windows\system32\cimo.sys [2009-06-01 46080] S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-06-24 131072] S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-06-24 79104] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-03-24 12648] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408] S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2009-05-26 146112] S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2009-05-26 6272] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-08-08 c:\windows\Tasks\User_Feed_Synchronization-{DF99D6C6-4DB4-40DE-8F14-A620F885C18F}.job - c:\windows\system32\msfeedssync.exe [2009-05-06 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.garena.com/portal/ TCP: {47FCC92C-B442-4704-B678-11F8AE118855} = 208.67.222.222,208.67.220.220 DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8x8krrv.default\ FF - prefs.js: browser.search.selectedEngine - Wowhead FF - prefs.js: browser.startup.homepage - hxxp://muffos.wowstead.com/|http://www.wowhead.com/?forums&topic=54456|http://www.wowhead.com/?talent#IsxrbhMuoVVRb:Mio0VM|http://www.wowhead.com/?talent#IZ0GfhkAdVcsMz FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-11 10:08 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\ [HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\SecuROM\License information*] "datasecu"=hex:9a,b5,9e,db,72,66,a3,5e,dd,6f,98,6e,6c,af,df,ba,4c,5e,e5,60,a5, f7,a2,55,a8,d8,c7,7f,63,12,32,51,df,40,1d,a0,2d,2f,5f,a1,57,75,79,23,59,d7,\ "rkeysecu"=hex:d0,8e,a6,97,8b,09,6e,d3,54,6f,34,d4,9c,01,8c,ed . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(460) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\program files\ThreatFire\TFWAH.dll c:\program files\ThreatFire\TFNI.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ThreatFire\TFMon.dll c:\program files\ThreatFire\TFRK.dll - - - - - - - > 'lsass.exe'(516) c:\program files\ThreatFire\TFWAH.dll - - - - - - - > 'explorer.exe'(2916) c:\windows\system32\WININET.dll c:\program files\ThreatFire\TFWAH.dll c:\windows\system32\ieframe.dll c:\windows\system32\msi.dll c:\program files\ThreatFire\TFNI.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ThreatFire\TFMon.dll c:\program files\ThreatFire\TFRK.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\Java\jre6\bin\jqs.exe c:\program files\ThreatFire\TFService.exe c:\program files\Tall Emu\Online Armor\oahlp.exe c:\program files\ThreatFire\TFUN.exe . ************************************************************************** . Completion time: 2009-08-11 10:16 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-11 09:16 ComboFix2.txt 2009-08-08 08:51 Pre-Run: 35
  7. ntb log Service Pack 3 8 9 2009 10:18:38.500 Loaded driver \WINDOWS\system32\ntoskrnl.exe Loaded driver \WINDOWS\system32\hal.dll Loaded driver \WINDOWS\system32\KDCOM.DLL Loaded driver \WINDOWS\system32\BOOTVID.dll Loaded driver sptd.sys Loaded driver \WINDOWS\System32\Drivers\WMILIB.SYS Loaded driver \WINDOWS\System32\Drivers\SCSIPORT.SYS Loaded driver ACPI.sys Loaded driver pci.sys Loaded driver ohci1394.sys Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS Loaded driver isapnp.sys Loaded driver PCIIde.sys Loaded driver \WINDOWS\System32\Drivers\PCIIDEX.SYS Loaded driver intelide.sys Loaded driver MountMgr.sys Loaded driver ftdisk.sys Loaded driver dmload.sys Loaded driver dmio.sys Loaded driver PartMgr.sys Loaded driver VolSnap.sys Loaded driver atapi.sys Loaded driver disk.sys Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS Loaded driver fltMgr.sys Loaded driver sr.sys Loaded driver TfSysMon.sys Loaded driver TfFsMon.sys Loaded driver PxHelp20.sys Loaded driver KSecDD.sys Loaded driver Ntfs.sys Loaded driver NDIS.sys Loaded driver Mup.sys Loaded driver agp440.sys Loaded driver \SystemRoot\system32\DRIVERS\intelppm.sys Loaded driver \SystemRoot\system32\DRIVERS\ati2mtag.sys Loaded driver \SystemRoot\system32\DRIVERS\usbuhci.sys Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys Loaded driver \SystemRoot\system32\DRIVERS\BCMSM.sys Loaded driver \SystemRoot\System32\Drivers\Modem.SYS Loaded driver \SystemRoot\system32\DRIVERS\ctoss2k.sys Loaded driver \SystemRoot\system32\DRIVERS\ctsfm2k.sys Loaded driver \SystemRoot\system32\drivers\P16X.sys Loaded driver \SystemRoot\system32\DRIVERS\e100b325.sys Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys Loaded driver \SystemRoot\system32\DRIVERS\serial.sys Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys Loaded driver \SystemRoot\system32\DRIVERS\parport.sys Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys Loaded driver \SystemRoot\System32\Drivers\asw5vr9z.SYS Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys Loaded driver \SystemRoot\system32\DRIVERS\update.sys Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys Loaded driver \SystemRoot\system32\drivers\MODEMCSA.sys Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS Did not load driver \SystemRoot\System32\Drivers\Changer.SYS Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS Loaded driver \SystemRoot\System32\Drivers\Null.SYS Loaded driver \SystemRoot\System32\Drivers\Beep.SYS Loaded driver \SystemRoot\System32\drivers\vga.sys Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys Loaded driver \??\C:\WINDOWS\system32\drivers\OAnet.sys Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys Loaded driver \??\C:\WINDOWS\system32\drivers\OAmon.sys Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys Loaded driver \SystemRoot\System32\drivers\afd.sys Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys Loaded driver \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys Loaded driver \SystemRoot\SYSTEM32\DRIVERS\OMCI.SYS Loaded driver \??\C:\WINDOWS\system32\drivers\OADriver.sys Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\System32\Drivers\Fips.SYS Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys Loaded driver \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS Loaded driver \SystemRoot\system32\DRIVERS\avgntflt.sys Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys Loaded driver \SystemRoot\system32\drivers\wdmaud.sys Loaded driver \SystemRoot\system32\drivers\sysaudio.sys Loaded driver \SystemRoot\system32\drivers\splitter.sys Loaded driver \SystemRoot\system32\drivers\aec.sys Loaded driver \SystemRoot\system32\drivers\swmidi.sys Loaded driver \SystemRoot\system32\drivers\DMusic.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys Loaded driver \SystemRoot\system32\drivers\drmkaud.sys Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS Did not load driver \SystemRoot\system32\DRIVERS\avgntflt.sys Loaded driver \??\C:\WINDOWS\system32\drivers\tmcomm.sys Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys Loaded driver \??\C:\WINDOWS\system32\drivers\TfNetMon.sys Loaded driver \??\C:\WINDOWS\system32\Drivers\mchInjDrv.sys Loaded driver \SystemRoot\system32\drivers\kmixer.sys ROOT REPEAL log ROOTREPEAL © AD, 2007-2009 ================================================== Scan Start Time: 2009/08/10 17:37 Program Version: Version 1.3.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: aujasnkj.sys Image Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\aujasnkj.sys Address: 0xEF696000 Size: 83584 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xF35D0000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xF7AA5000 Size: 8192 File Visible: No Signed: - Status: - Name: mchInjDrv.sys Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys Address: 0xF7C3F000 Size: 2560 File Visible: No Signed: - Status: - Name: PCI_PNP4910 Image Path: \Driver\PCI_PNP4910 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xF1568000 Size: 49152 File Visible: No Signed: - Status: - Name: spjv.sys Image Path: spjv.sys Address: 0xF744D000 Size: 1052672 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - SSDT ------------------- #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6e60 #: 019 Function Name: NtAssignProcessToJobObject Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b75c0 #: 031 Function Name: NtConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b5610 #: 037 Function Name: NtCreateFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c40d0 #: 041 Function Name: NtCreateKey Status: Hooked by "<unknown>" at address 0xf7cc486e #: 046 Function Name: NtCreatePort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b52c0 #: 047 Function Name: NtCreateProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2580 #: 048 Function Name: NtCreateProcessEx Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2960 #: 050 Function Name: NtCreateSection Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2060 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0xf7cc4864 #: 057 Function Name: NtDebugActiveProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b45a0 #: 062 Function Name: NtDeleteFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4b50 #: 063 Function Name: NtDeleteKey Status: Hooked by "<unknown>" at address 0xf7cc4873 #: 065 Function Name: NtDeleteValueKey Status: Hooked by "<unknown>" at address 0xf7cc487d #: 068 Function Name: NtDuplicateObject Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4fe0 #: 071 Function Name: NtEnumerateKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4070 #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c40a0 #: 097 Function Name: NtLoadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b65d0 #: 098 Function Name: NtLoadKey Status: Hooked by "<unknown>" at address 0xf7cc4882 #: 116 Function Name: NtOpenFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4760 #: 119 Function Name: NtOpenKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c2c20 #: 122 Function Name: NtOpenProcess Status: Hooked by "<unknown>" at address 0xf7cc4850 #: 125 Function Name: NtOpenSection Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b2300 #: 128 Function Name: NtOpenThread Status: Hooked by "<unknown>" at address 0xf7cc4855 #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7250 #: 145 Function Name: NtQueryDirectoryFile Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6a10 #: 160 Function Name: NtQueryKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4010 #: 177 Function Name: NtQueryValueKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c4040 #: 180 Function Name: NtQueueApcThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7740 #: 193 Function Name: NtReplaceKey Status: Hooked by "<unknown>" at address 0xf7cc488c #: 200 Function Name: NtRequestWaitReplyPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b6180 #: 204 Function Name: NtRestoreKey Status: Hooked by "<unknown>" at address 0xf7cc4887 #: 206 Function Name: NtResumeThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4c90 #: 207 Function Name: NtSaveKey Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36c3ff0 #: 210 Function Name: NtSecureConnectPort Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b59d0 #: 213 Function Name: NtSetContextThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b43c0 #: 240 Function Name: NtSetSystemInformation Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4720 #: 247 Function Name: NtSetValueKey Status: Hooked by "<unknown>" at address 0xf7cc4878 #: 249 Function Name: NtShutdownSystem Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b64d0 #: 253 Function Name: NtSuspendProcess Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4e40 #: 254 Function Name: NtSuspendThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4ac0 #: 255 Function Name: NtSystemDebugControl Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b4900 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0xf7cc485f #: 258 Function Name: NtTerminateThread Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b41a0 #: 262 Function Name: NtUnloadDriver Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b67f0 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\OADriver.sys" at address 0xf36b7400 Stealth Objects ------------------- Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP] Process: System Address: 0x86fd71f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_CREATE] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_CLOSE] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_POWER] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: adn8wzohȅ瑎獆ȁఅ䵃慖, IRP_MJ_PNP] Process: System Address: 0x86d911f8 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP] Process: System Address: 0x86e47500 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_READ] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_POWER] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: dmio, IRP_MJ_PNP] Process: System Address: 0x86f6c1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP] Process: System Address: 0x86e4b1f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP] Process: System Address: 0x86fd91f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP] Process: System Address: 0x863d01f8 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP] Process: System Address: 0x86e80500 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP] Process: System Address: 0x863cb1f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_CREATE] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_CLOSE] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_READ] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_QUERY_INFORMATION] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_SET_INFORMATION] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_QUERY_VOLUME_INFORMATION] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_DIRECTORY_CONTROL] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_FILE_SYSTEM_CONTROL] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_DEVICE_CONTROL] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_SHUTDOWN] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_LOCK_CONTROL] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_CLEANUP] Process: System Address: 0x863c61f8 Size: 121 Object: Hidden Code [Driver: Cdfsȅఐ卆浩ᜄ, IRP_MJ_PNP] Process: System Address: 0x863c61f8 Size: 121 ==EOF== HIJACK this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:04:19, on 2009-08-10 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\ThreatFire\TFService.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ThreatFire\TFTray.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\java.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\ESAP 3\Windows 7 - Styler\TB\StylerTB.dll O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [styler] C:\Program Files\ESAP 3\Windows 7 - Styler\Styler.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user') O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{47FCC92C-B442-4704-B678-11F8AE118855}: NameServer = 208.67.222.222,208.67.220.220 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing) O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe -- End of file - 5893 bytes And the kaspersky failed got this error message Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program. You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Key is expired] and i reloaded the scanner several times but still got that. there has been no change of the speed of my computer since last time i posted GMERlog.zip DriversGeneral.txt DriversSigned.txt GMERlog.zip DriversGeneral.txt DriversSigned.txt
  8. COMBOFIX ComboFix 09-08-07.09 - Administrator 2009-08-08 9:34.1.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.1023.652 [GMT 1:00] Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Administrator\WgaTray.exe c:\documents and settings\Default User\WgaTray.exe c:\windows\system32\Config.ini c:\windows\system32\config\systemprofile\WgaTray.exe c:\windows\system32\kdfinj.dll c:\windows\system32\WgaLogon.dll . ((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 ))))))))))))))))))))))))))))))) . 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\wbem\snmp 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\windows\system32\xircom 2009-08-08 08:43 . 2009-08-08 08:43 -------- d-----w- c:\program files\microsoft frontpage 2009-08-07 18:07 . 2009-08-07 18:07 -------- d-----w- c:\program files\Gravity 2009-08-07 12:39 . 2009-08-07 12:39 -------- d-----w- c:\program files\Audacity 2009-08-05 14:05 . 2009-08-07 22:09 -------- d-----w- c:\program files\Diablo II 2009-08-04 13:46 . 2009-08-04 14:39 -------- d-----w- C:\Unreal2 2009-08-04 13:37 . 2009-08-04 13:37 -------- d--h--w- c:\windows\PIF 2009-08-02 15:47 . 2009-08-06 14:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-08-02 15:43 . 2009-08-02 15:55 -------- d-----w- c:\program files\Opera 2009-08-02 15:33 . 2009-08-02 15:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp 2009-08-02 15:33 . 2009-08-02 15:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google 2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS 2009-07-31 12:22 . 2009-08-02 14:15 -------- d-----w- c:\program files\NOS 2009-07-28 16:00 . 2009-07-28 16:00 -------- d-----w- C:\Sandbox 2009-07-28 16:00 . 2009-08-04 15:19 -------- d-----w- c:\program files\Sandboxie 2009-07-28 11:53 . 2009-07-28 12:22 -------- d-----w- c:\program files\rise 2009-07-28 11:52 . 2009-07-28 11:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\InstallShield 2009-07-27 21:21 . 2009-07-28 09:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Microsoft Games 2009-07-27 20:51 . 2009-07-27 20:52 -------- d-----w- c:\program files\Hamachi 2009-07-25 09:53 . 2009-07-25 09:56 -------- d-----w- C:\Oplex 2009-07-24 09:58 . 2009-07-24 09:58 -------- d-----w- c:\program files\Defraggler 2009-07-23 19:51 . 2009-08-07 21:48 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\CurseClient 2009-07-23 19:51 . 2009-07-23 19:51 -------- d-----w- c:\program files\Curse 2009-07-11 12:38 . 2009-07-12 09:26 -------- d-----w- c:\program files\DivX 2009-07-10 16:14 . 2009-07-10 16:14 -------- d-----w- C:\ProgramData 2009-07-10 16:14 . 2008-09-04 18:17 447752 ----a-r- c:\windows\system32\vp6vfw.dll 2009-07-10 16:14 . 2009-07-10 16:14 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe 2009-07-10 16:14 . 2009-07-10 16:14 -------- d-----w- c:\program files\Microsoft WSE 2009-07-10 12:20 . 2009-07-10 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus 2009-07-10 12:20 . 2009-08-08 08:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Azureus 2009-07-09 18:58 . 2009-07-09 18:58 -------- d-----w- c:\program files\VideoLAN 2009-07-09 14:50 . 2009-07-27 13:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts 2009-07-09 14:48 . 2009-07-09 14:48 -------- d--h--r- c:\documents and settings\Administrator\Application Data\SecuROM 2009-07-09 14:14 . 2009-07-09 14:14 -------- d-----w- c:\documents and settings\Administrator\Application Data\Red Alert 3 2009-07-09 09:42 . 2009-07-10 14:11 25 ----a-w- c:\windows\popcinfot.dat . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-08 08:43 . 2009-05-07 11:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-08-08 08:16 . 2009-07-12 10:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Winamp 2009-08-07 20:46 . 2009-05-07 14:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype 2009-08-07 18:06 . 2009-05-07 15:58 65536 -c--a-w- c:\windows\IFinst27.exe 2009-08-06 14:50 . 2009-08-02 15:47 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc 2009-08-05 14:08 . 2009-05-08 18:18 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment 2009-08-05 12:15 . 2009-05-06 20:21 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2009-08-04 13:46 . 2009-05-07 07:39 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-08-04 13:23 . 2009-05-14 16:05 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent 2009-08-03 21:29 . 2009-05-07 09:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-08-03 21:28 . 2009-05-26 19:56 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2009-08-03 12:36 . 2009-05-07 09:09 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-08-03 12:36 . 2009-05-07 09:09 19096 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-08-03 10:27 . 2009-06-17 23:00 -------- d-----w- c:\program files\Common Files\GTK 2009-08-02 16:01 . 2009-05-11 10:18 -------- d-----w- c:\program files\osu! 2009-08-02 15:12 . 2009-05-09 00:05 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe 2009-08-02 14:56 . 2009-05-07 10:51 -------- d-----w- c:\program files\SpywareBlaster 2009-07-31 11:52 . 2009-06-25 12:07 -------- d-----w- c:\program files\ThreatFire 2009-07-31 11:52 . 2009-05-07 16:28 -------- d-----w- c:\program files\Microsoft Silverlight 2009-07-30 21:43 . 2009-06-06 15:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Hamachi 2009-07-27 20:51 . 2009-06-06 15:53 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys 2009-07-24 12:42 . 2009-06-01 17:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spotify 2009-07-13 07:16 . 2009-06-03 16:59 -------- d-----w- c:\program files\Guild Wars 2009-07-12 10:10 . 2009-07-12 10:10 -------- d-----w- c:\program files\Winamp 2009-07-11 04:59 . 2009-05-07 08:53 29776 ----a-w- c:\windows\system32\drivers\OAnet.sys 2009-07-11 04:17 . 2009-05-07 08:53 24656 ----a-w- c:\windows\system32\drivers\OAmon.sys 2009-07-11 04:17 . 2009-05-07 08:53 200784 ----a-w- c:\windows\system32\drivers\OADriver.sys 2009-07-08 18:41 . 2009-07-08 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games 2009-07-08 15:41 . 2009-06-17 23:01 -------- d-----w- c:\documents and settings\Administrator\Application Data\.purple 2009-07-03 17:09 . 2009-03-16 18:46 915456 ----a-w- c:\windows\system32\wininet.dll 2009-07-03 11:54 . 2009-05-07 11:09 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2009-07-02 10:10 . 2009-07-02 09:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\InfraRecorder 2009-07-01 10:18 . 2009-06-18 12:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help 2009-07-01 10:18 . 2009-06-18 12:28 -------- d-----w- c:\program files\Microsoft Visual Studio 9.0 2009-06-29 14:49 . 2009-06-29 14:48 -------- d-----w- c:\program files\Intel 2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\program files\Avira 2009-06-26 23:51 . 2009-06-26 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira 2009-06-26 16:43 . 2009-05-07 11:08 -------- d-----w- c:\program files\SUPERAntiSpyware 2009-06-25 12:07 . 2009-06-25 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools 2009-06-24 20:30 . 2009-06-24 20:30 -------- d-----w- c:\program files\Alwil Software 2009-06-24 16:39 . 2009-06-24 16:39 -------- d-----w- c:\program files\Secunia 2009-06-23 18:01 . 2009-05-21 22:46 -------- d-----w- c:\documents and settings\Administrator\Application Data\FileZilla 2009-06-23 11:57 . 2009-05-07 10:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-06-19 15:06 . 2009-06-19 15:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft 2009-06-19 13:37 . 2009-06-25 12:07 46864 ----a-w- c:\windows\system32\drivers\TfSysMon.sys 2009-06-19 13:37 . 2009-06-25 12:07 33552 ----a-w- c:\windows\system32\drivers\TfNetMon.sys 2009-06-19 13:37 . 2009-06-25 12:07 51984 ----a-w- c:\windows\system32\drivers\TfFsMon.sys 2009-06-18 13:17 . 2009-06-18 13:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\TortoiseSVN 2009-06-18 13:00 . 2009-05-06 21:05 35760 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-06-18 12:48 . 2009-06-18 12:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion 2009-06-18 12:34 . 2009-06-18 12:34 -------- d-----w- c:\program files\Microsoft SQL Server 2009-06-18 12:34 . 2009-06-18 12:34 112640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\9.0\1033\ResourceCache.dll 2009-06-18 12:33 . 2009-06-18 12:33 416 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll 2009-06-18 12:23 . 2009-06-18 12:23 -------- d-----w- c:\program files\Microsoft SDKs 2009-06-17 23:05 . 2009-06-17 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\gtk-2.0 2009-06-17 17:16 . 2009-06-17 17:16 -------- d-----w- c:\program files\ATI Technologies 2009-06-17 12:20 . 2009-03-24 11:03 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys 2009-06-17 10:51 . 2009-06-17 10:51 720896 ----a-w- c:\windows\iun6002.exe 2009-06-16 14:36 . 2008-04-14 03:42 119808 ----a-w- c:\windows\system32\t2embed.dll 2009-06-16 14:36 . 2008-04-14 03:41 81920 ----a-w- c:\windows\system32\fontsub.dll 2009-06-13 21:09 . 2009-06-13 21:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\mIRC 2009-06-11 19:23 . 2009-05-06 20:47 -------- d-----w- c:\program files\ESAP 3 2009-06-10 11:57 . 2009-06-10 11:57 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Xfire 2009-06-06 19:00 . 2009-06-06 19:00 249856 ------w- c:\windows\Setup1.exe 2009-06-06 19:00 . 2009-06-06 19:00 73216 ----a-w- c:\windows\ST6UNST.EXE 2009-06-05 17:48 . 2009-06-05 17:48 721904 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-06-03 19:09 . 2008-04-14 03:42 1291264 ----a-w- c:\windows\system32\quartz.dll 2009-06-01 16:07 . 2009-06-01 16:07 46080 ----a-w- c:\windows\system32\cimo.sys 2009-06-01 13:41 . 2009-06-01 13:41 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys . ------- Sigcheck ------- [-] 2009-03-11 14:31 2003456 A93D1D8A4122F7DEFDD4D0F34CF67213 c:\windows\explorer.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-13 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-13 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-13 455168] "@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\OAui.exe" [2009-07-11 2121416] "ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2009-06-19 259344] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] "Styler"="c:\program files\ESAP 3\Windows 7 - Styler\Styler.exe" [2007-04-15 307200] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "ShowDeskFix"="shell32" [X] "nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-03-08 128512] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoResolveTrack"= 1 (0x1) "NoRecentDocsNetHood"= 01000000 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "ForceClassicControlPanel"= 1 (0x1) "NoResolveTrack"= 1 (0x1) "NoSMHelp"= 1 (0x1) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun] "1"= avnotify.dll "2"= avnotify.exe [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2009-07-11 336584] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Spotify\\spotify.exe"= "c:\\Program Files\\Curse\\CurseClient.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-06-25 51984] R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-06-25 46864] R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-05-07 200784] R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-05-07 24656] R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-05-07 29776] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-04-28 9968] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-04-28 72944] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-06-27 108289] R2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2009-05-07 362184] R2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2009-05-07 3142344] R2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service --> c:\program files\ThreatFire\TFService.exe service [?] R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-06-25 33552] S3 cimo;cimo;c:\windows\system32\cimo.sys [2009-06-01 46080] S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-06-24 131072] S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-06-24 79104] S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?] S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-03-24 12648] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-04-28 7408] S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2009-05-26 146112] S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2009-05-26 6272] --- Other Services/Drivers In Memory --- *Deregistered* - mchInjDrv [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-06-25 c:\windows\Tasks\User_Feed_Synchronization-{DF99D6C6-4DB4-40DE-8F14-A620F885C18F}.job - c:\windows\system32\msfeedssync.exe [2009-05-06 03:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.garena.com/portal/ TCP: {47FCC92C-B442-4704-B678-11F8AE118855} = 208.67.222.222,208.67.220.220 DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8x8krrv.default\ FF - prefs.js: browser.search.selectedEngine - Wowhead FF - prefs.js: browser.startup.homepage - hxxp://muffos.wowstead.com/|http://www.malwarebytes.org/forums/index.php?showtopic=20619&st=0&p=105270entry105270|http://www.bleepingcomputer.com/combofix/how-to-use-combofix FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-08-08 09:44 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\docume~1\ADMINI~1\LOCALS~1\Temp\RGI5.tmp 7075 bytes scan completed successfully hidden files: 1 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc] "ImagePath"="c:\windows\system32\GameMon.des -service" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences] @Denied: (2) (Administrator) "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\ "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15, d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a4,b1,2c,4d,d7,65,7a,47,96,d2,8d,\ [HKEY_USERS\S-1-5-21-1935655697-1958367476-1606980848-500\Software\SecuROM\License information*] "datasecu"=hex:9a,b5,9e,db,72,66,a3,5e,dd,6f,98,6e,6c,af,df,ba,4c,5e,e5,60,a5, f7,a2,55,a8,d8,c7,7f,63,12,32,51,df,40,1d,a0,2d,2f,5f,a1,57,75,79,23,59,d7,\ "rkeysecu"=hex:d0,8e,a6,97,8b,09,6e,d3,54,6f,34,d4,9c,01,8c,ed . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(472) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\Ati2evxx.dll c:\program files\ThreatFire\TFWAH.dll c:\program files\ThreatFire\TFNI.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ThreatFire\TFMon.dll c:\program files\ThreatFire\TFRK.dll - - - - - - - > 'lsass.exe'(528) c:\program files\ThreatFire\TFWAH.dll - - - - - - - > 'explorer.exe'(1636) c:\windows\system32\WININET.dll c:\program files\ThreatFire\TFWAH.dll c:\windows\system32\msi.dll c:\windows\system32\ieframe.dll c:\program files\ThreatFire\TFNI.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\program files\ThreatFire\TFMon.dll c:\program files\ThreatFire\TFRK.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Avira\AntiVir Desktop\avguard.exe c:\program files\ThreatFire\TFService.exe c:\program files\Tall Emu\Online Armor\oahlp.exe . ************************************************************************** . Completion time: 2009-08-08 9:51 - machine was rebooted ComboFix-quarantined-files.txt 2009-08-08 08:51 Pre-Run: 34
  9. OK. the problems i have is that all my programs are taking forever to start and once they do start most of them hang (stop responding) quickly & often it will result in a hard restart of windows. and i noticed that in the DDS log it says outdated on my Avira but i update it daily. (and avira guard is Started) DDS.txt DDS (Ver_09-07-30.01) - NTFSx86 Run by Administrator at 15:20:45,84 on 2009-08-07Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.1023.553 [GMT 1:00] AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}FW: Online Armor Firewall *enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Tall Emu\Online Armor\OAcat.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\ThreatFire\TFService.exeC:\Program Files\Tall Emu\Online Armor\OAui.exeC:\Program Files\ThreatFire\TFTray.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Tall Emu\Online Armor\OAhlp.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Avira\AntiVir Desktop\update.exeC:\Documents and Settings\Administrator\Desktop\dds.scrC:\WINDOWS\system32\wbem\wmiprvse.exe ============== Pseudo HJT Report =============== uWindow Title = Extreme Seven 2009 UltimateuStart Page = hxxp://www.garena.com/portal/mWinlogon: SfcDisable=-99 (0xffffff9d)BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No FileBHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllTB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\esap 3\windows 7 - styler\tb\StylerTB.dllmRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNCmRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNCmRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMENamemRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\OAui.exe"mRun: [ThreatFire] c:\program files\threatfire\TFTray.exemRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /mindRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXEdRun: [styler] c:\program files\esap 3\windows 7 - styler\Styler.exedRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,NdRunOnce: [showDeskFix] regsvr32 /s /n /i:u shell32uPolicies-explorer: NoResolveTrack = 1 (0x1)uPolicies-explorer: NoRecentDocsNetHood = 01000000uPolicies-explorer: NoInstrumentation = 1 (0x1)uPolicies-explorer: DisallowRun = 1 (0x1)uPolicies-disallowrun: 1 = avnotify.dlluPolicies-disallowrun: 2 = avnotify.exedPolicies-explorer: ForceClassicControlPanel = 1 (0x1)dPolicies-explorer: NoResolveTrack = 1 (0x1)dPolicies-explorer: NoSMHelp = 1 (0x1)IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cabDPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabTCP: {47FCC92C-B442-4704-B678-11F8AE118855} = 208.67.222.222,208.67.220.220Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLLNotify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dllNotify: AtiExtEvent - Ati2evxx.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dllSEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z8x8krrv.default\FF - prefs.js: browser.search.selectedEngine - WowheadFF - prefs.js: browser.startup.homepage - hxxp://www.wowhead.com/FF - plugin: c:\program files\opera 10 beta\program\plugins\npdsplay.dllFF - plugin: c:\program files\opera 10 beta\program\plugins\npwmsdrm.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} ---- FIREFOX POLICIES ----c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-6-25 51984]R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-6-25 46864]R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-27 11608]R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-5-7 200784]R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-5-7 24656]R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-5-7 29776]R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-4-28 9968]R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-4-28 72944]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-27 108289]R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-27 185089]R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-5-6 55656]R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2009-5-7 362184]R2 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2009-5-7 3142344]R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program files\threatfire\TFService.exe service [?]R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-6-25 33552]S3 cimo;cimo;c:\windows\system32\cimo.sys [2009-6-1 46080]S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2009-6-24 131072]S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2009-6-24 79104]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2009-3-24 12648]S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-4-28 7408]S3 V0220Dev;Live! Cam Video IM;c:\windows\system32\drivers\V0220Dev.sys [2009-5-26 146112]S3 V0220Vfx;V0220VFX;c:\windows\system32\drivers\V0220Vfx.sys [2009-5-26 6272] =============== Created Last 30 ================ 2009-08-07 13:39 <DIR> --d----- c:\program files\Audacity2009-08-05 15:05 <DIR> --d----- c:\program files\Diablo II2009-08-04 14:46 <DIR> --d----- C:\Unreal22009-08-04 14:37 <DIR> --d-h--- c:\windows\PIF2009-07-28 17:00 <DIR> --d----- C:\Sandbox2009-07-28 17:00 <DIR> --d----- c:\program files\Sandboxie2009-07-28 12:53 <DIR> --d----- c:\program files\rise2009-07-27 22:21 <DIR> --d----- c:\docume~1\admini~1\applic~1\Microsoft Games2009-07-27 21:51 <DIR> --d----- c:\program files\Hamachi2009-07-25 10:53 <DIR> --d----- C:\Oplex2009-07-24 10:58 <DIR> --d----- c:\program files\Defraggler2009-07-23 20:51 <DIR> --d----- c:\program files\Curse2009-07-11 13:38 <DIR> --d----- c:\program files\DivX2009-07-10 17:14 <DIR> --d----- C:\ProgramData2009-07-10 17:14 447,752 a----r-- c:\windows\system32\vp6vfw.dll2009-07-10 17:14 <DIR> --d----- c:\program files\Microsoft WSE2009-07-10 13:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Azureus2009-07-10 13:20 <DIR> --d----- c:\docume~1\admini~1\applic~1\Azureus2009-07-09 19:58 <DIR> --d----- c:\program files\VideoLAN2009-07-09 15:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts2009-07-09 15:14 <DIR> --d----- c:\docume~1\admini~1\applic~1\Red Alert 32009-07-09 10:42 25 a------- c:\windows\popcinfot.dat2009-07-08 19:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap Games ==================== Find3M ==================== 2009-08-05 13:15 55,656 a------- c:\windows\system32\drivers\avgntflt.sys2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys2009-08-02 16:12 25,992 a------- c:\windows\system32\pgdfgsvc.exe2009-07-27 21:51 25,280 a------- c:\windows\system32\drivers\hamachi.sys2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll2009-07-19 14:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll2009-07-11 05:59 29,776 a------- c:\windows\system32\drivers\OAnet.sys2009-07-11 05:17 24,656 a------- c:\windows\system32\drivers\OAmon.sys2009-07-11 05:17 200,784 a------- c:\windows\system32\drivers\OADriver.sys2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll2009-07-03 18:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll2009-07-03 18:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll2009-07-03 18:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll2009-07-03 18:09 206,848 a------- c:\windows\system32\dllcache\occache.dll2009-07-03 18:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll2009-07-03 18:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll2009-07-03 18:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll2009-07-03 18:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll2009-07-03 18:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll2009-07-03 18:09 184,320 -------- c:\windows\system32\dllcache\iepeers.dll2009-07-03 18:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll2009-07-03 12:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe2009-06-24 18:17 767,328 a------- c:\windows\system32\kdfinj.dll2009-06-20 15:25 65,536 ac------ c:\windows\IFinst27.exe2009-06-19 14:37 46,864 a------- c:\windows\system32\drivers\TfSysMon.sys2009-06-19 14:37 33,552 a------- c:\windows\system32\drivers\TfNetMon.sys2009-06-19 14:37 51,984 a------- c:\windows\system32\drivers\TfFsMon.sys2009-06-17 13:20 12,648 a------- c:\windows\system32\drivers\psi_mf.sys2009-06-17 11:51 720,896 a------- c:\windows\iun6002.exe2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll2009-06-16 15:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll2009-06-16 15:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll2009-06-06 20:00 249,856 -------- c:\windows\Setup1.exe2009-06-06 20:00 73,216 a------- c:\windows\ST6UNST.EXE2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll2009-06-03 20:09 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll2009-06-01 17:07 46,080 a------- c:\windows\system32\cimo.sys2009-02-21 15:32 2,628 a------- c:\documents and settings\administrator\installer.bat2009-02-12 05:30 1,481,728 a------- c:\documents and settings\administrator\LegitCheckControl.dll2009-02-12 05:30 323,072 a------- c:\documents and settings\administrator\WgaTray.exe2009-02-12 05:30 190,976 a------- c:\documents and settings\administrator\WgaLogon.dll2009-05-06 21:43 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat2009-05-06 21:43 16,384 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat2009-05-06 21:43 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat ============= FINISH: 15:22:23,03 ===============Hope this info helped! Attach.zip Attach.zip
  10. Hello. yes i do still need help and its ok for the delay i know you have a lot of problems to solve & a life ^^
  11. ok so my computer has started to respond very slowly today. it takes like 30 seconds for it to switch windows with ALT tab when yesterday it took around 1-2 seconds at most. i have the latest hijack this logg & MBAM quick scan log here. HIJACK THIS Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:52:16, on 2009-08-02Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: Normal Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Tall Emu\Online Armor\OAcat.exeC:\Program Files\Tall Emu\Online Armor\oasrv.exeC:\Program Files\Avira\AntiVir Desktop\sched.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Tall Emu\Online Armor\OAui.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\Program Files\ThreatFire\TFTray.exeC:\Program Files\ThreatFire\TFService.exeC:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\Program Files\Sandboxie\SbieCtrl.exeC:\Program Files\Tall Emu\Online Armor\OAhlp.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Sandboxie\SandboxieRpcSs.exeC:\Program Files\Sandboxie\SandboxieDcomLaunch.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garena.com/portal/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Extreme Seven 2009 UltimateO2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\ESAP 3\Windows 7 - Styler\TB\StylerTB.dllO4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNCO4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNCO4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMENameO4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\OAui.exe"O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exeO4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [sandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe"O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\Run: [styler] C:\Program Files\ESAP 3\Windows 7 - Styler\Styler.exe (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{47FCC92C-B442-4704-B678-11F8AE118855}: NameServer = 208.67.222.222,208.67.220.220O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exeO23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exeO23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exeO23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe --End of file - 6231 bytesMBAM Malwarebytes' Anti-Malware 1.39Database version: 2546Windows 5.1.2600 Service Pack 3 2009-08-02 16:09:18mbam-log-2009-08-02 (16-09-18).txt Scan type: Quick ScanObjects scanned: 82599Time elapsed: 9 minute(s), 6 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:(No malicious items detected) Registry Values Infected:(No malicious items detected) Registry Data Items Infected:(No malicious items detected) Folders Infected:(No malicious items detected) Files Infected:(No malicious items detected)
  12. You need a Swedish translator?
  13. I have also been wanting this suggestion ^^
  14. Ok its fixed they ain't detected anymore ^^
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.