HexeFroschbein

Seems to all be gone, the balloon hasn't come back since I changed the settings, and everything appears to work just nicely now. So I think (hope) that you have cured my box! many thanks, Hexe

This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish. Ran as Gabriela on 05/20/2010 at 14:42:48. Processes terminated by Rkill or while it was running: C:\Documents and Settings\Gabriela\Desktop\rkill.exe Rkill completed on 05/20/2010 at 14:42:52.

I was just told that the found backdoor virus is a known false positive.

-------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0: scan report Wednesday, May 19, 2010 Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Wednesday, May 19, 2010 15:03:13 Records in database: 4134826 -------------------------------------------------------------------------------- Scan settings: scan using the following database: extended Scan archives: yes Scan e-mail databases: yes Scan area - My Computer: C:\ D:\ Scan statistics: Objects scanned: 148680 Threats found: 1 Infected objects found: 1 Suspicious objects found: 0 Scan duration: 03:19:34 File name / Threat / Threats count C:\Documents and Settings\Gabriela\Local Settings\Application Data\Xenocode\ApplianceCaches\HoldemManager.exe_v7BC20518\Native\STUBEXE\@PROGRAMFILES@\RVG Software\Holdem Manager\DBControlPanel.exe Infected: Backdoor.Win32.Poison.awex 1 Selected area has been scanned.

Because: 1) I've only ever seen this balloon and icon in conjunction with the Window Security Center scam on another machine about two years ago, and now on my machine when it was infected. I've had this laptop for 3 years now without a firewall of it's own (that is taken care of elsewhere) and never had any nag balloon turn up once. Nor has this balloon or it's icon ever turned up again on the other machine after MBAM cleaned it. 2) Clicking on the balloon (by mistake, since it jumps as other icons are loaded and it's easy to miss the closing cross) brought up the 'scam show' in Firefox. I haven't tried clicking it again since, because I assumed that this is an integral part of the scam. 3) All other balloons that nag me (low battery, update programs etc) tend stay up until closed, they don't vanish on their own accord, since they are meant to inform, not to confuse, and for most users, the short notice would cause stress and not be helpful. Since the scam trades on scaring people, I just assumed this to be another trick. 4) One of the virus cleaners removed 3 registry keys associated with the scam, given that a number of other cleaner programs missed them, I didn't trust the removal to be complete since the balloon stayed around afterwards, so I assumed the laptop was still infected. Update: I've now decided to risk clicking on it, and it seems to be a legit program(I had the entire thing down as a pure scam, including wscntfy.exe), so, I guess the scam turned the settings to on and then piggy-backed on top of that, and of course the sloppy UI design mentioned in point 3 does not help either. I turned off the settings, and wscntfy.exe has now gone, so has the icon. Many thanks for your patient help, sorry for the balloon confusion, I'm not paranoid, but I have proof they are out to get me ;-) Hexe

Hi, The balloon turns up after reboot and only then. There are two versions, first one is displayed, then the other. When the taskbar hides, the balloons go away, but the icon stays in the tray. Clicking on them used to start up the firefox hijack where it tries to look like legit software, but I haven't clicked on it since we started to fix it. cheers, Hexe balloon1.bmp balloon2.bmp

Hi, I attached the files, it seems that avz didn't find anything, however the pesky balloon is still there. Did you want the incurable file that the previous software found? many thanks, Hexe virusinfo_syscure.zip virusinfo_syscheck.zip

Hi, The report goes as follows: winvnc.exe;c:\program files\tightvnc;Program.WinVnc;; DL.exe;C:\Program Files\Dark Legacy Client;BackDoor.Pahac.origin;Incurable.Moved.; WinVNC.exe;C:\Program Files\TightVNC;Program.WinVnc;Moved.; A0120737.ocx;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1002;Adware.Gdown;Moved.; A0121773.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1005;BackDoor.Pahac.origin;Incurable.Moved.; A0121774.exe;C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1005;Program.WinVnc;Moved.; The solicitation balloon is still there, I thought this was part of the virus (since it only popped up after the attack, never seen it before), but I'm not so sure now. thanks, Hexe

Hi Borislav, ESET found 8 threats which it identified as variants of the Windows Security trojan (I didn't write it down, expecting a log file to be written, but it was something to that effect) and they are still preserved in the qurantine directory. ESET however didn't leave a log.txt file The solicitation balloon is still present after reboot, and so is wscntfy.exe. Hexe

Unfortunately not, the solicitation balloon in the windows menu bar is still there, and so is wscntfy.exe, after a reboot.

Hi Borislav, here are the 2 logs, greetings, Hexe JavaRa 1.15 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was started on Thu May 13 20:39:15 2010 Found and removed: C:\Documents and Settings\Gabriela\Application Data\Sun\Java\jre1.6.0_13Found and removed: C:\Documents and Settings\Gabriela\Application Data\Sun\Java\jre1.6.0_14Found and removed: Software\JavaSoft\Java2D\1.5.0_06Found and removed: Software\JavaSoft\Java2D\1.5.0_09Found and removed: Software\JavaSoft\Java2D\1.5.0_11Found and removed: SOFTWARE\Classes\JavaPlugin.150_06Found and removed: SOFTWARE\Classes\JavaPlugin.150_09Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203Found and removed: SOFTWARE\Classes\JavaPlugin.142_03Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\------------------------------------Finished reporting. ComboFix 10-05-13.01 - Gabriela 05/13/2010 21:01:20.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.476 [GMT 1:00] Running from: c:\documents and settings\Gabriela\Desktop\Combo-Fix.exe FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} . ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 ))))))))))))))))))))))))))))))) . 2010-05-11 08:29 . 2010-04-29 14:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-11 08:29 . 2010-05-11 08:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-11 08:29 . 2010-04-29 14:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-11 08:26 . 2010-05-11 08:26 -------- d-----w- c:\documents and settings\All Users\Uniblue 2010-04-28 08:44 . 2010-03-26 09:33 1496064 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll 2010-04-28 08:44 . 2010-03-26 09:33 43008 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll 2010-04-28 08:44 . 2010-03-26 09:33 339456 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll 2010-04-28 08:44 . 2010-03-26 09:32 346112 ----a-w- c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll 2010-04-18 17:46 . 2010-04-18 17:46 45 ----a-w- c:\documents and settings\Gabriela\Local Settings\Application Data\machpro.dat 2010-04-18 17:46 . 2010-04-18 17:46 13406 ----a-r- c:\documents and settings\Gabriela\Application Data\Microsoft\Installer\{79A09C10-E19C-44AB-8514-381B5F6DACBC}\_651C95A4B36E8FF577F8C4.exe 2010-04-18 17:46 . 2010-04-18 17:46 13406 ----a-r- c:\documents and settings\Gabriela\Application Data\Microsoft\Installer\{79A09C10-E19C-44AB-8514-381B5F6DACBC}\_42788EC906EBD6C0F335AD.exe 2010-04-18 17:46 . 2010-05-11 00:05 -------- d-----w- c:\program files\TableNinja 2010-04-17 15:22 . 2010-04-24 14:00 -------- d-----w- c:\program files\Freeciv-2.2.0-gtk2 2010-04-16 17:37 . 2010-05-11 08:25 -------- d-----w- c:\documents and settings\Gabriela\Application Data\Uniblue . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-05-13 19:31 . 2006-03-21 17:15 -------- d-----w- c:\program files\Common Files\Adobe 2010-05-11 08:16 . 2007-05-21 20:34 -------- d-----w- c:\program files\PartyGaming 2010-05-10 23:08 . 2006-05-25 17:47 -------- d-----w- c:\program files\PokerStars 2010-04-22 13:50 . 2008-10-02 12:01 -------- d-----w- c:\documents and settings\Gabriela\Application Data\.freeciv 2010-04-20 09:35 . 2009-12-22 19:41 -------- d-----w- c:\program files\Gnumeric 2010-04-10 15:52 . 2009-07-31 21:56 -------- d-----w- c:\program files\DivX 2010-04-01 15:35 . 2010-01-12 21:50 -------- d-----w- c:\documents and settings\Gabriela\Application Data\gtk-2.0 2010-03-14 17:31 . 2008-11-30 05:22 253952 ------w- c:\windows\Setup1.exe 2010-03-14 17:31 . 2010-03-14 17:31 74752 ----a-w- c:\windows\ST6UNST.EXE 2010-03-10 06:15 . 2005-08-16 04:18 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-02-25 06:24 . 2005-08-16 04:18 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-24 13:11 . 2006-03-16 20:11 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2010-02-16 14:08 . 2005-08-16 04:18 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 13:25 . 2004-08-03 22:59 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2006-06-24 09:55 . 2006-04-13 09:38 56 -csh--r- c:\windows\system32\CE7EC49839.sys 2006-06-14 20:19 . 2006-06-14 20:19 56 -csh--r- c:\windows\system32\EDFA114173.sys 2006-06-24 09:55 . 2006-04-13 09:38 6060 -csha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="c:\program files\NetWaiting\netWaiting.exe" [2003-09-10 20480] "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2004-07-19 306688] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ShowLOMControl"="1 (0x1)" [X] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-19 98304] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-19 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-19 118784] "SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 397312] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-29 761947] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 49152] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-05-01 667718] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-05-01 602182] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584] "WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696] "bacstray"="c:\program files\Broadcom\BACS\BacsTray.exe" [2005-07-13 118784] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce] "RunNarrator"="Narrator.exe" [2008-04-14 53760] c:\documents and settings\Gabriela\Start Menu\Programs\Startup\ Dragon NaturallySpeaking.lnk - c:\program files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe [2005-4-11 1994752] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-3-16 24576] [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\cygwin\\bin\\perl.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\TightVNC\\WinVNC.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [03/13/2009 5:50 AM 65536] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2005 10:10 PM 32512] . Contents of the 'Scheduled Tasks' folder 2008-04-20 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen uInternet Settings,ProxyOverride = *.local Trusted Zone: tesco.com\secure Trusted Zone: tesco.com\www FF - ProfilePath - c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Web Search: FLYLADY FF - prefs.js: browser.startup.homepage - hxxp://www.rememberthemilk.com/home/gabriela.gibson/#section.overview FF - component: c:\documents and settings\Gabriela\Application Data\Mozilla\Firefox\Profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); . - - - - ORPHANS REMOVED - - - - HKLM-Run-ISUSPM Startup - c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe AddRemove-CGoban 2 - c:\windows\system32\javaws.exe AddRemove-CGoban 3 - c:\windows\system32\javaws.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-05-13 21:07 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL] "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL" . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-2710946534-3569665189-4038185510-1005\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*] "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ "Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d, bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\ . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(2224) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-05-13 21:09:27 ComboFix-quarantined-files.txt 2010-05-13 20:09 Pre-Run: 4,471,263,232 bytes free Post-Run: 7,919,620,096 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect - - End Of File - - E56B9822CC24DFAF4BF7764E430C0A1C

Hi Borislav, Here are the 3 logs you asked for: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4094 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 05/12/2010 9:54:05 PM mbam-log-2010-05-12 (21-54-05).txt Scan type: Quick scan Objects scanned: 147711 Time elapsed: 18 minute(s), 51 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-13 13:12:38 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Gabriela\LOCALS~1\Temp\pwdyipog.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \FileSystem\Fastfat \Fat A8D72D20 ---- EOF - GMER 1.0.15 ---- ------------------------------------------------------------------------- UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT DDS (Ver_10-03-17.01) Microsoft Windows XP Professional Boot Device: \Device\HarddiskVolume2 Install Date: 03/21/2006 3:30:47 PM System Uptime: 05/13/2010 7:00:22 AM (6 hours ago) Motherboard: Dell Inc. | | Processor: Genuine Intel® CPU T2300 @ 1.66GHz | Microprocessor | 1664/133mhz ==== Disk Partitions ========================= C: is FIXED (NTFS) - 50 GiB total, 3.686 GiB free. D: is CDROM () ==== Disabled Device Manager Items ============= ==== Installed Programs ====================== Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.2.2 Apple Software Update Bonjour Broadcom Management Programs CGoban 2 CGoban 3 Conexant HDA D110 MDC V.92 Modem ContentSAFER for Wizmax Critical Update for Windows Media Player 11 (KB959772) Dell Support 5.0.0 (630) Dell System Restore Digital Line Detect Dragon NaturallySpeaking 8 Folding@home-x86 getPlus®_dll Gnumeric Spreadsheet (With Gtk+ 2.6.10) 1.6.2-rc1 Google Video Player High Definition Audio Driver Package - KB835221 Holdem Manager Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Hotfix for Windows Internet Explorer 7 (KB947864) Hotfix for Windows Media Format 11 SDK (KB929399) Hotfix for Windows Media Player 10 (KB903157) Hotfix for Windows Media Player 11 (KB939683) Hotfix for Windows XP (KB952287) Hotfix for Windows XP (KB954550-v5) Hotfix for Windows XP (KB961118) Hotfix for Windows XP (KB970653-v3) Hotfix for Windows XP (KB976002-v5) Hotfix for Windows XP (KB976098-v2) Hotfix for Windows XP (KB979306) InfraRecorder Intel® Graphics Media Accelerator Driver Intel® PROSet/Wireless Software Internal Network Card Power Management Java 6 Update 15 Malwarebytes' Anti-Malware mCore MCU mDriver mDrWiFi mHlpDell Microsoft .NET Framework 1.0 Hotfix (KB953295) Microsoft .NET Framework 1.1 Microsoft .NET Framework 1.1 Security Update (KB953297) Microsoft .NET Framework 2.0 Service Pack 2 Microsoft .NET Framework 3.0 Service Pack 2 Microsoft .NET Framework 3.5 SP1 Microsoft Application Error Reporting Microsoft Compression Client Pack 1.0 for Windows XP Microsoft IntelliType Pro 6.2 Microsoft Internationalized Domain Names Mitigation APIs Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 Microsoft National Language Support Downlevel APIs Microsoft User-Mode Driver Framework Feature Pack 1.0 Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 Microsoft Works 7.0 mIWA mLogView mMHouse Modem Helper Mozilla Firefox (3.6.3) mPfMgr mPfWiz mProSafe mSSO MSXML 4.0 SP2 (KB927978) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) MSXML 6.0 Parser (KB933579) mWlsSafe mWMI mXML MySQL Server 5.0 mZConfig NetWaiting PokerStars PokerStove version 1.23 PostgreSQL 8.3 PowerDVD 5.7 QuickSet QuickTime RealPlayer Security Update for Windows Internet Explorer 7 (KB928090) Security Update for Windows Internet Explorer 7 (KB929969) Security Update for Windows Internet Explorer 7 (KB931768) Security Update for Windows Internet Explorer 7 (KB933566) Security Update for Windows Internet Explorer 7 (KB937143) Security Update for Windows Internet Explorer 7 (KB938127) Security Update for Windows Internet Explorer 7 (KB939653) Security Update for Windows Internet Explorer 7 (KB942615) Security Update for Windows Internet Explorer 7 (KB944533) Security Update for Windows Internet Explorer 7 (KB950759) Security Update for Windows Internet Explorer 7 (KB953838) Security Update for Windows Internet Explorer 7 (KB956390) Security Update for Windows Internet Explorer 7 (KB958215) Security Update for Windows Internet Explorer 7 (KB960714) Security Update for Windows Internet Explorer 7 (KB961260) Security Update for Windows Internet Explorer 7 (KB963027) Security Update for Windows Internet Explorer 7 (KB969897) Security Update for Windows Internet Explorer 7 (KB972260) Security Update for Windows Internet Explorer 8 (KB971961) Security Update for Windows Internet Explorer 8 (KB972260) Security Update for Windows Internet Explorer 8 (KB974455) Security Update for Windows Internet Explorer 8 (KB976325) Security Update for Windows Internet Explorer 8 (KB978207) Security Update for Windows Internet Explorer 8 (KB981332) Security Update for Windows Media Player (KB952069) Security Update for Windows Media Player (KB954155) Security Update for Windows Media Player (KB968816) Security Update for Windows Media Player (KB973540) Security Update for Windows Media Player 10 (KB911565) Security Update for Windows Media Player 10 (KB917734) Security Update for Windows Media Player 11 (KB936782) Security Update for Windows Media Player 11 (KB954154) Security Update for Windows Media Player 6.4 (KB925398) Security Update for Windows XP (KB923561) Security Update for Windows XP (KB923689) Security Update for Windows XP (KB938464-v2) Security Update for Windows XP (KB938464) Security Update for Windows XP (KB941569) Security Update for Windows XP (KB946648) Security Update for Windows XP (KB950760) Security Update for Windows XP (KB950762) Security Update for Windows XP (KB950974) Security Update for Windows XP (KB951066) Security Update for Windows XP (KB951376-v2) Security Update for Windows XP (KB951376) Security Update for Windows XP (KB951698) Security Update for Windows XP (KB951748) Security Update for Windows XP (KB952004) Security Update for Windows XP (KB952954) Security Update for Windows XP (KB953839) Security Update for Windows XP (KB954211) Security Update for Windows XP (KB954459) Security Update for Windows XP (KB954600) Security Update for Windows XP (KB955069) Security Update for Windows XP (KB956391) Security Update for Windows XP (KB956572) Security Update for Windows XP (KB956744) Security Update for Windows XP (KB956802) Security Update for Windows XP (KB956803) Security Update for Windows XP (KB956841) Security Update for Windows XP (KB956844) Security Update for Windows XP (KB957095) Security Update for Windows XP (KB957097) Security Update for Windows XP (KB958644) Security Update for Windows XP (KB958687) Security Update for Windows XP (KB958690) Security Update for Windows XP (KB958869) Security Update for Windows XP (KB959426) Security Update for Windows XP (KB960225) Security Update for Windows XP (KB960715) Security Update for Windows XP (KB960803) Security Update for Windows XP (KB960859) Security Update for Windows XP (KB961371) Security Update for Windows XP (KB961373) Security Update for Windows XP (KB961501) Security Update for Windows XP (KB968537) Security Update for Windows XP (KB969059) Security Update for Windows XP (KB969898) Security Update for Windows XP (KB969947) Security Update for Windows XP (KB970238) Security Update for Windows XP (KB970430) Security Update for Windows XP (KB971468) Security Update for Windows XP (KB971486) Security Update for Windows XP (KB971557) Security Update for Windows XP (KB971633) Security Update for Windows XP (KB971657) Security Update for Windows XP (KB972270) Security Update for Windows XP (KB973346) Security Update for Windows XP (KB973354) Security Update for Windows XP (KB973507) Security Update for Windows XP (KB973525) Security Update for Windows XP (KB973869) Security Update for Windows XP (KB973904) Security Update for Windows XP (KB974112) Security Update for Windows XP (KB974318) Security Update for Windows XP (KB974392) Security Update for Windows XP (KB974571) Security Update for Windows XP (KB975025) Security Update for Windows XP (KB975467) Security Update for Windows XP (KB975560) Security Update for Windows XP (KB975561) Security Update for Windows XP (KB975713) Security Update for Windows XP (KB977165) Security Update for Windows XP (KB977816) Security Update for Windows XP (KB977914) Security Update for Windows XP (KB978037) Security Update for Windows XP (KB978251) Security Update for Windows XP (KB978262) Security Update for Windows XP (KB978338) Security Update for Windows XP (KB978542) Security Update for Windows XP (KB978601) Security Update for Windows XP (KB978706) Security Update for Windows XP (KB979309) Security Update for Windows XP (KB979683) Security Update for Windows XP (KB980232) SitNGo Wizard SnG Power Tools v1.19b Sonic Encoders Synaptics Pointing Device Driver TableNinja The GIMP 2.2.11 TightVNC 1.3.9 Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Windows Internet Explorer 8 (KB973874) Update for Windows Internet Explorer 8 (KB976662) Update for Windows Internet Explorer 8 (KB980182) Update for Windows Media Player 10 (KB910393) Update for Windows Media Player 10 (KB913800) Update for Windows Media Player 10 (KB926251) Update for Windows XP (KB951072-v2) Update for Windows XP (KB951978) Update for Windows XP (KB955759) Update for Windows XP (KB955839) Update for Windows XP (KB967715) Update for Windows XP (KB968389) Update for Windows XP (KB971737) Update for Windows XP (KB973687) Update for Windows XP (KB973815) Update Rollup 2 for Windows XP Media Center Edition 2005 Vim 6.4 (self-installing) WebFldrs XP Windows Genuine Advantage Notifications (KB905474) Windows Genuine Advantage Validation Tool (KB892130) Windows Installer 3.1 (KB893803) Windows Internet Explorer 7 Windows Internet Explorer 8 Windows Media Format 11 runtime Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information] Windows Media Player 11 Windows XP Media Center Edition 2005 KB908246 Windows XP Media Center Edition 2005 KB925766 Windows XP Media Center Edition 2005 KB973768 Windows XP Service Pack 3 WinMerge 2.8.0.0 WinPcap 3.1 WinSCP 3.8.2 WordBiz version 1.8 XEmacs 21.4.19 ==== End Of File ===========================

Hi Borislav, thank you very much for you help! I got as far as completing step 1, however in step 2 there are problems. RootRepeal crashes, with a message that says: "Windows Version: Windows Exception code 0xc0000005" Is there anything I can do to get the program to complete? thanks, Hexe

Hi, I was using Stumble to surf when my laptop was taken over by the Windows Security Alert -- taking me to a number of sites and putting on a sophisticated show inside the tab, looking very much like an official Microsoft anti-virus program that found something dangerous. See the attached picture for the addies. I had encountered this scam before about a year ago on someone else's computer and the Malwarebytes application removed it. This time, I updated my copy of Malwarebytes, ran it, and it found bad 3 registry entries, but after removing them, the ''wscntfy.exe" (which I suspect is a part of the problem) keeps coming back if I kill it and it's bugging me with an icon in the tray that keeps hassling me about there not being a firewall, inviting me to click on it. Suspending the program only works a limited time, and it's not possible to remove the icon either -- it always comes back. I've used adblock to stop the sites from being accessed as it repeated that trick with opening a tab in firefox and looking like an app about 20 minutes after the first attack, so I'm not sure if it's still active. I downloaded the Avira program as well, and it also cannot find the problem. I can see that there are 2 other people being helped currently with similar looking issues, should I just wait and then follow the instructions they got or wait a whilst until the program has an update that squishes the problem? many thanks for any advice, Hexe Froschbein The GMER application crashes, but here is the Defogger log: DDS (Ver_10-03-17.01) - NTFSx86 Run by Gabriela at 22:27:26.93 on 05/11/2010 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.317 [GMT 1:00] AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe svchost.exe svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Avira\AntiVir Desktop\sched.exe svchost.exe C:\Program Files\Avira\AntiVir Desktop\avguard.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Avira\AntiVir Desktop\avshadow.exe svchost.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\system32\svchost.exe -k imgsvc C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Broadcom\BACS\BacsTray.exe c:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Program Files\NetWaiting\netWaiting.exe C:\Program Files\Dell Support\DSAgnt.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\ScanSoft\NaturallySpeaking8\Program\natspeak.exe C:\DOCUMENTS AND SETTINGS\GABRIELA\MY DOCUMENTS\DOWNLOADED STUFF\PROCESSEXPLORER\PROCEXP.EXE C:\WINDOWS\system32\dllhost.exe C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\svchost.exe -k HTTPFilter C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre6\bin\jucheck.exe C:\Documents and Settings\Gabriela\Desktop\Defogger.exe C:\Documents and Settings\Gabriela\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = hxxp://www.google.com/ uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www1.euro.dell.com/content/default.aspx?c=uk&l=en&s=gen uInternet Settings,ProxyOverride = *.local mSearchAssistant = hxxp://www.google.com/ie BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [ehTray] c:\windows\ehome\ehtray.exe mRun: [igfxtray] c:\windows\system32\igfxtray.exe mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe mRun: [showLOMControl] 1 (0x1) mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe" mRun: [iSUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall mRun: [sSBkgdUpdate] c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe -Embedding -boot mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe" mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [bacstray] c:\program files\broadcom\bacs\BacsTray.exe mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe" mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE dRunOnce: [RunNarrator] Narrator.exe StartupFolder: c:\docume~1\gabriela\startm~1\programs\startup\dragon~1.lnk - c:\program files\scansoft\naturallyspeaking8\program\natspeak.exe StartupFolder: c:\docume~1\gabriela\startm~1\programs\startup\foldin~1.lnk - c:\documents and settings\gabriela\application data\microsoft\installer\{87c85d28-0633-453d-8d29-98c3a1043f6c}\_40568C262FE03EB186D64D.exe StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe IE: {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - c:\program files\empirepokermaster\empirepoker\RunEPoker.exe IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll Trusted Zone: tesco.com\secure Trusted Zone: tesco.com\www DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll IFEO: taskmgr.exe - "c:\documents and settings\gabriela\my documents\downloaded stuff\processexplorer\PROCEXP.EXE" ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\gabriela\applic~1\mozilla\firefox\profiles\x4f91juh.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Web Search: FLYLADY FF - prefs.js: browser.startup.homepage - hxxp://www.rememberthemilk.com/home/gabriela.gibson/#section.overview FF - component: c:\documents and settings\gabriela\application data\mozilla\firefox\profiles\x4f91juh.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); ============= SERVICES / DRIVERS =============== R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-5-11 11608] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-5-11 135336] R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-5-11 267432] R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-5-11 60936] R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328] R2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\postgresql\8.3\bin\pg_ctl.exe [2009-3-13 65536] S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512] =============== Created Last 30 ================ 2010-05-11 21:26:00 0 ----a-w- c:\documents and settings\gabriela\defogger_reenable 2010-05-11 10:46:55 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys 2010-05-11 10:46:44 0 d-----w- c:\program files\Avira 2010-05-11 10:46:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira 2010-05-11 08:29:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-05-11 08:29:33 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-05-11 08:29:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-05-11 08:26:10 0 d-----w- c:\documents and settings\all users\Uniblue 2010-04-20 09:33:28 1899 ----a-w- c:\documents and settings\gabriela\.recently-used.xbel 2010-04-18 17:46:06 0 d-----w- c:\program files\TableNinja 2010-04-17 15:22:19 0 d-----w- c:\program files\Freeciv-2.2.0-gtk2 2010-04-16 17:37:19 0 d-----w- c:\docume~1\gabriela\applic~1\Uniblue ==================== Find3M ==================== 2010-03-14 17:31:34 253952 ------w- c:\windows\Setup1.exe 2010-03-14 17:31:22 74752 ----a-w- c:\windows\ST6UNST.EXE 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll 2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll 2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll 2010-02-24 13:11:07 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys 2010-02-24 09:54:25 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe 2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe 2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe 2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-02-12 10:03:03 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll 2010-02-12 04:33:11 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll 2010-02-11 12:02:15 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys 2006-06-24 09:55:43 56 -csh--r- c:\windows\system32\CE7EC49839.sys 2006-06-14 20:19:55 56 -csh--r- c:\windows\system32\EDFA114173.sys 2006-06-24 09:55:46 6060 -csha-w- c:\windows\system32\KGyGaAvL.sys 2008-10-14 14:35:06 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101420081015\index.dat ============= FINISH: 22:28:38.83 ===============