Jump to content

uacinit.dll


Recommended Posts

I can see there have been a few people on here asking about this already. Same old story - started as a different infection and everything was removed by MBAM and Avira, except uacinit.dll which MBAM says needs to be removed by rebooting. I reboot and MBAM quarantines it, but a new copy is still in my system32 folder.

Usually my MBAM log would say "-> delete on reboot" at the end, but last time my whole PC froze up so I just told it to cancel this time and give me the log.

MBAM log:

Malwarebytes' Anti-Malware 1.36

Database version: 2175

Windows 5.1.2600 Service Pack 3

24/05/2009 22:02:31

mbam-log-2009-05-24 (22-02-30).txt

Scan type: Quick Scan

Objects scanned: 87322

Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:54:50, on 24/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Avira\AntiVir Desktop\sched.exe

E:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

E:\Program Files\iTunesHelper.exe

E:\Program Files\Razer\Copperhead\razerhid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

E:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

E:\Program Files\Razer\Copperhead\razertra.exe

E:\Program Files\Razer\Copperhead\razerofa.exe

C:\program files\valve\steam\steam.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

E:\Program Files\Launchy\Launchy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"

O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm

O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--

End of file - 12028 bytes

Link to post
Share on other sites

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  • I will be working on your Malware issues this may or may not solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • I f you don't know or understand something please don't hesitate to ask.
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

  • You must download it to and run it from your Desktop
  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Double click on ComboFix.exe and follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

    [*]Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    [*]Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

Next Reply

Please reply with:

  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
Link to post
Share on other sites

Hi, thanks for the input! I have done as you asked.

ComboFix log:

ComboFix 09-05-26.02 - Jon 27/05/2009 1:18.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3103 [GMT 1:00]

Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\drivers\npf.sys

c:\windows\system32\drivers\UACyxdtaoehvdeatvb.sys

c:\windows\system32\Packet.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\UACaidfjdooinujyoc.dll

c:\windows\system32\UACclvneoygutqmewy.dll

c:\windows\system32\UACeljoejtvkhasbai.log

c:\windows\system32\uacinit.dll

c:\windows\system32\UACjlcbitxwkcrdexo.dll

c:\windows\system32\UACmgrmyddwqcjsgln.dat

c:\windows\system32\UACqkkyajbaaluxbjr.log

c:\windows\system32\UACrkdmloynavdhsph.dll

c:\windows\system32\UACttuetnpxmlsjecg.dll

c:\windows\system32\UACyeqynvavipfbkhu.log

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

-------\Legacy_NPF

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 )))))))))))))))))))))))))))))))

.

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w c:\documents and settings\Jon\Local Settings\Application Data\vdownloader

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w e:\program files\VDOWNLOADER

2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys

2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys

2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys

2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w e:\program files\Avira

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w c:\documents and settings\All Users\Application Data\Avira

2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w e:\program files\Trend Micro

2009-05-19 13:55 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-05-19 13:54 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\documents and settings\Jon\Application Data\Malwarebytes

2009-05-19 10:25 . 2009-05-19 13:55 -------- d-----w e:\program files\Malwarebytes' Anti-Malware

2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-19 08:17 . 2009-05-12 08:34 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll

2009-05-19 08:17 . 2009-05-12 08:34 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll

2009-05-19 08:17 . 2009-05-12 08:34 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe

2009-05-19 08:17 . 2009-05-12 08:34 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll

2009-05-19 08:17 . 2009-05-12 08:34 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll

2009-05-19 08:17 . 2009-05-12 08:34 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll

2009-05-19 08:17 . 2009-05-12 08:34 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe

2009-05-19 08:17 . 2009-05-12 08:34 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll

2009-05-19 08:17 . 2009-05-12 08:34 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w e:\program files\Graph

2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w e:\program files\Spybot - Search & Destroy

2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w e:\program files\Panda Security

2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w e:\program files\SUPERAntiSpyware

2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com

2009-05-17 16:49 . 2009-05-12 08:34 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll

2009-05-17 16:49 . 2009-05-12 08:34 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe

2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-05-27 00:25 . 2009-03-27 16:45 -------- d-----w c:\documents and settings\Jon\Application Data\nView_Wallpaper

2009-05-27 00:04 . 2008-01-24 23:07 -------- d-s---w e:\program files\Xfire

2009-05-26 23:57 . 2007-03-07 22:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-05-26 23:37 . 2007-03-07 21:03 -------- d-----w c:\documents and settings\Jon\Application Data\Xfire

2009-05-26 21:16 . 2007-10-17 13:30 64 ----a-w c:\windows\popcinfot.dat

2009-05-26 19:34 . 2007-03-12 21:15 10254 ----a-w c:\windows\system32\Fxxplfnt.tmp

2009-05-26 16:04 . 2008-05-15 07:22 -------- d-----w e:\program files\Diablo II

2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w e:\program files\Cain

2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys

2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w c:\windows\system32\PnkBstrB.exe

2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-12 08:34 . 2008-05-05 11:35 11952 ----a-w c:\windows\system32\avgrsstx.dll

2009-05-12 08:34 . 2008-05-05 11:35 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys

2009-05-12 08:34 . 2007-03-07 22:52 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys

2009-05-12 08:34 . 2008-05-05 11:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys

2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w c:\windows\system32\nvModes.dat

2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w c:\documents and settings\Jon\Application Data\uTorrent

2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w c:\windows\system32\xlive.dll

2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll

2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w e:\program files\NDSROM Player

2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w e:\program files\InstallShield Installation Information

2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet

2009-04-10 21:12 . 2007-03-09 20:11 -------- d-----w c:\program files\Common Files\Adobe

2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w e:\program files\Adobe Media Player

2009-04-10 21:07 . 2009-04-10 21:07 -------- d-----w c:\program files\Common Files\Adobe AIR

2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w c:\program files\Common Files\Macrovision Shared

2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w c:\documents and settings\All Users\Application Data\TrackMania

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w c:\documents and settings\Jon\Application Data\Launchy

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w e:\program files\Launchy

2009-03-31 18:30 . 2007-07-22 15:31 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles

2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w c:\documents and settings\Jon\jagex_runescape_preferences.dat

2009-03-29 12:19 . 2007-03-07 22:35 -------- d-----w c:\documents and settings\Jon\Application Data\Skype

2009-03-28 13:35 . 2009-03-28 13:35 -------- d-----w c:\documents and settings\All Users\Application Data\Codemasters

2009-03-28 12:48 . 2009-03-28 12:48 -------- d-----w e:\program files\OpenAL

2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w c:\windows\system32\wrap_oal.dll

2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w c:\windows\system32\OpenAL32.dll

2009-03-28 12:33 . 2009-03-28 12:33 -------- d-----w e:\program files\Codemasters

2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w c:\windows\mickey32.dll

2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w c:\windows\Matrix Code.scr

2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w c:\windows\Matrix Code.exe

2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll

2009-03-05 16:44 . 2007-09-30 22:16 75064 ----a-w c:\windows\system32\PnkBstrA.exe

2009-03-03 00:18 . 2006-06-23 11:33 826368 ----a-w c:\windows\system32\wininet.dll

2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w e:\program files\MSSetup.exe

2008-10-01 17:57 . 2008-10-01 17:57 289576 ----a-w e:\program files\iTunesHelper.exe

2008-10-01 17:57 . 2008-10-01 17:57 283136 ----a-w e:\program files\iTunesOutlookAddIn.dll

2008-10-01 17:57 . 2008-10-01 17:57 172544 ----a-w e:\program files\iTunesPhotoSupport.dll

2008-10-01 17:57 . 2008-10-01 17:57 132392 ----a-w e:\program files\iTunesMiniPlayer.dll

2008-10-01 17:57 . 2008-10-01 17:57 108328 ----a-w e:\program files\iTunesAdmin.dll

2008-10-01 17:57 . 2008-10-01 17:57 14258472 ----a-w e:\program files\iTunes.exe

2008-10-01 17:57 . 2008-10-01 17:57 111912 ----a-w e:\program files\ITDetector.ocx

2008-10-01 17:57 . 2008-10-01 17:57 643072 ----a-w e:\program files\iPodUpdaterExt.dll

2008-10-01 17:57 . 2008-10-01 17:57 438272 ----a-w e:\program files\CDDBControlApple.dll

2008-10-01 17:56 . 2008-10-01 17:56 8356 ----a-w e:\program files\Acknowledgements.rtf

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]

"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-12 1947928]

"iTunesHelper"="e:\program files\iTunesHelper.exe" [2008-10-01 289576]

"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]

"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-05-12 08:34 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk

backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk

backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk

backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk

backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk

backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=

"e:\\Programs\\utorrent.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"e:\\Program Files\\iTunes.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/05/2008 12:35 325896]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/05/2008 12:35 108552]

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]

R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 15:03 908568]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 15:03 298776]

R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]

S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]

S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]

S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job

- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm

IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dll

FF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

FF - plugin: c:\windows\system32\DNAML\npdbplug.dll

FF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dll

FF - plugin: e:\program files\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----

FF - user.js: capability.policy.policynames - localfilelinks

FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk

FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-05-27 01:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,

be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,

45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\

"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1212)

e:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(240)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSENG.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

e:\program files\Cisco Systems\VPN Client\cvpnd.exe

e:\program files\Java\jre6\bin\jqs.exe

c:\program files\NVIDIA Corporation\nTune\nTuneService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

c:\windows\system32\PnkBstrB.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

e:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

c:\program files\AVG\AVG8\avgrsx.exe

c:\progra~1\AVG\AVG8\avgnsx.exe

e:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

c:\program files\AVG\AVG8\avgcsrvx.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

e:\program files\Razer\Copperhead\razertra.exe

e:\program files\Razer\Copperhead\razerofa.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-05-27 1:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-05-27 00:28

Pre-Run: 14,909,480,960 bytes free

Post-Run: 15,217,524,736 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS

[operating systems]

d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect

380 --- E O F --- 2009-05-16 01:00

New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:30:35, on 27/05/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

C:\WINDOWS\System32\svchost.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

E:\Program Files\iTunesHelper.exe

E:\Program Files\Razer\Copperhead\razerhid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

E:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\wscntfy.exe

E:\Program Files\Razer\Copperhead\razertra.exe

E:\Program Files\Razer\Copperhead\razerofa.exe

C:\program files\valve\steam\steam.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Launchy\Launchy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"

O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm

O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--

End of file - 11364 bytes

Link to post
Share on other sites

P2P Warning!

uTorrent

I understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them:

  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for the following (if present):
    uTorrent

NOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.

If you wish to keep them, you MUST NOT use them until your computer is clean.

Remove one of your Anti Virus programs.

You are operating multiple Anti Virus programs on your computer:

  • Avira and AVG8

It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program.

Remove HijackThis entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  • Close all open windows and browsers/email etc...
  • Click on the Fix Checked button
  • When completed close the application.

OTM

Download OTM by Old Timer and save it to your Desktop.

  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below.
:Processesexplorer.exe:Filesc:\windows\system32\Fxxplfnt.tmp:Commands[emptytemp][start explorer][Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM

Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives

    [*]Click on My Computer under Scan.

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • OTM Log
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Ok sorry I took a while, but the Kapersky scan took about 10 hours and as soon as I was too impatient something happened to stop it, so I had to find time to get 10 hours straight. I removed AVG (as it has been totally useless in this whole thing) and I'm not even able to use any p2p software at all at University, so that isn't an issue.

I can't see any symptoms of any infection whatsoever though.

Kapersky seems to have flagged all sorts of things though.

Thanks! (oh and btw, what does OTM actually do?)

OTM log:

========== PROCESSES ==========

Process explorer.exe killed successfully.

========== FILES ==========

c:\windows\system32\Fxxplfnt.tmp moved successfully.

========== COMMANDS ==========

File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV scheduled to be deleted on reboot.

File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Internet Explorer cache folder emptied.

File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm scheduled to be deleted on reboot.

File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

User's Temporary Internet Files folder emptied.

Local Service Temp folder emptied.

File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.

Local Service Temporary Internet Files folder emptied.

Network Service Temp folder emptied.

Network Service Temporary Internet Files folder emptied.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat scheduled to be deleted on reboot.

File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_704.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

FireFox cache emptied.

Opera cache emptied.

Temp folders emptied.

Explorer started successfully

OTM by OldTimer - Version 2.1.0.0 log created on 05292009_015153

Files moved on Reboot...

File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N not found!

File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV not found!

C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp moved successfully.

C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm moved successfully.

C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm moved successfully.

File C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat not found!

File C:\WINDOWS\temp\Perflib_Perfdata_704.dat not found!

Registry entries deleted on Reboot...

Kapersky Log:

KASPERSKY ONLINE SCANNER 7.0 REPORT

Tuesday, June 2, 2009

Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Monday, June 01, 2009 19:14:19

Records in database: 2292339

Scan settings

Scan using the following database extended

Scan archives yes

Scan mail databases yes

Scan area My Computer

A:\

C:\

D:\

E:\

F:\

G:\

H:\

Scan statistics

Files scanned 353173

Threat name 17

Infected objects 36

Suspicious objects 0

Duration of the scan 10:27:03

File name Threat name Threats count

C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254697.sys Infected: Trojan.Win32.Agent.chly 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254698.dll Infected: Trojan.Win32.TDSS.acbv 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254699.dll Infected: Packed.Win32.Tdss.f 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254700.dll Infected: Packed.Win32.Tdss.f 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254701.dll Infected: Packed.Win32.Tdss.f 1

C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254702.dll Infected: Packed.Win32.Tdss.f 1

D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

D:\Jon's PC\Monsterkill\Installers\Legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1

D:\Jon's PC\Monsterkill\Installers\Legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1

D:\Jon's PC\Monsterkill\Installers\Legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1

D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1

D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack 3.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2

D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2

D:\Program Files\Legion\Legion.exe Infected: not-a-virus:NetTool.Win32.Legion.21 1

E:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.s 1

E:\Programs\legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1

E:\Programs\legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1

E:\Programs\legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1

E:\Programs\legion\NetTools.ex_ Infected: Trojan-PSW.Win32.Spion.c 1

E:\Programs\legion.zip Infected: Trojan-PSW.Win32.Spion.c 1

E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.a 1

E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.d 1

E:\Programs\legion.zip Infected: not-a-virus:NetTool.Win32.Legion.21 1

E:\Programs\melgibs.rar Infected: Trojan-Banker.Win32.Banker.afwk 1

E:\Programs\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1

E:\Programs\Nero.zip Infected: Trojan.Win32.Agent.abek 1

E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1

E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

E:\usb_multiboot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1

The selected area was scanned.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:15:30, on 02/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Avira\AntiVir Desktop\sched.exe

E:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\rundll32.exe

E:\Program Files\iTunesHelper.exe

E:\Program Files\Razer\Copperhead\razerhid.exe

C:\WINDOWS\system32\RUNDLL32.EXE

E:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

E:\Program Files\Launchy\Launchy.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\Program Files\Java\jre6\bin\jqs.exe

E:\Program Files\Razer\Copperhead\razerofa.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\svchost.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Razer\Copperhead\razertra.exe

E:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXE

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"

O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [spybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exe

O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm

O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--

End of file - 10982 bytes

Link to post
Share on other sites

Hello!

Sorry for the delay.

(oh and btw, what does OTM actually do?)

We use it tp remove malware entries ir entries that are not needed.

Disable Teatimer

Please disable Teatimer as it may interfere with the fix.

  • If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  • Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  • Click on Mode > Advanced Mode. When it prompts you, click Yes.
  • On the left hand side, click on Tools.
  • Check this box if it is not yet ticked: Resident.
  • You will notice that Resident is now added under Tools. Click on Resident.
  • Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  • Exit Spybot Search & Destroy.
  • Reboot your machine for the changes to take effect.

Once your log is clean you can re-enable those settings in TeaTimer.

OTM

  • Double-click OTM.exe to run it.
  • Copy the lines in the codebox below.
:Processesexplorer.exe
:FilesD:\Jon's PC\Monsterkill\Installers\LegionD:\Program Files\LegionE:\Programs\legionE:\Programs\legion.zipE:\Programs\melgibs.rarE:\Programs\Nero.zip
:Commands[emptytemp][start explorer][Reboot]
  • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTM may ask to reboot the machine. Please do so if asked.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

  • OTM log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
Link to post
Share on other sites

Here it is:

ComboFix 09-06-04.04 - Jon 04/06/2009 21:39.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3028 [GMT 1:00]

Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

.

((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))

.

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration

2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe

2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll

2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe

2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll

2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll

2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe

2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll

2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll

2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM

2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER

2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro

2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes

2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware

2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph

2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy

2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security

2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware

2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire

2009-06-04 20:31 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper

2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple

2009-06-04 20:08 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II

2009-06-04 18:15 . 2009-05-29 19:15 10254 ----a-w- c:\windows\system32\Fxxplfnt.tmp

2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe

2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat

2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx

2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf

2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire

2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain

2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat

2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent

2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll

2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll

2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player

2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information

2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player

2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy

2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat

2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll

2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr

2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe

2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat

+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat

+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys

+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys

+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys

- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll

+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll

- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe

+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe

+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe

- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll

+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll

+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll

+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe

+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe

+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll

+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]

"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]

"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]

"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]

"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Jon\Start Menu\Programs\Startup\

Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk

backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk

backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk

backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk

backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk

backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=

"e:\\Programs\\utorrent.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

"e:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Valve\\Steam\\steam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]

R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]

R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]

S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]

S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]

S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

.

Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job

- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm

IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll

FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

FF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll

FF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dll

FF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dll

FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll

FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

FF - plugin: c:\windows\system32\DNAML\npdbplug.dll

FF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dll

FF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dll

FF - plugin: e:\program files\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----

FF - user.js: capability.policy.policynames - localfilelinks

FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk

FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-04 21:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,

be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,

45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\

"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)

e:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'explorer.exe'(3792)

c:\windows\system32\nview.dll

c:\windows\system32\NVWRSENG.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

.

Completion time: 2009-06-04 21:44

ComboFix-quarantined-files.txt 2009-06-04 20:44

ComboFix2.txt 2009-05-27 00:28

Pre-Run: 15,497,240,576 bytes free

Post-Run: 15,598,944,256 bytes free

319 --- E O F --- 2009-05-16 01:00

Link to post
Share on other sites

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:
File::c:\windows\system32\Fxxplfnt.tmpE:\Programs\legion.zipE:\Programs\melgibs.rarE:\Programs\Nero.zip
Folder::D:\Jon's PC\Monsterkill\Installers\LegionD:\Program Files\LegionE:\Programs\legion

Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:

  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
  • A description of how your computer is behaving
Link to post
Share on other sites

There aren't any real problems with my computer in general. There are a few small things - I left it on overnight and in the morning each time I right clicked to bring up the menu, the buttons wouldn't appear until I had moved over the options with the mouse cursor.

Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).

Apart from that there is no loss in functionality and everything is running totally as normal.

Combofix log:

ComboFix 09-06-04.04 - Jon 05/06/2009 10:58.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3008 [GMT 1:00]

Running from: c:\documents and settings\Jon\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Jon\Desktop\CFScript.txt

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::

"c:\windows\system32\Fxxplfnt.tmp"

"e:\programs\legion.zip"

"e:\programs\melgibs.rar"

"e:\programs\Nero.zip"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\Fxxplfnt.tmp

d:\jon's pc\Monsterkill\Installers\Legion

d:\jon's pc\Monsterkill\Installers\Legion\APIGID32.DL_

d:\jon's pc\Monsterkill\Installers\Legion\AsycFilt.dl_

d:\jon's pc\Monsterkill\Installers\Legion\BruteForce.ex_

d:\jon's pc\Monsterkill\Installers\Legion\Chrono.dl_

d:\jon's pc\Monsterkill\Installers\Legion\ComCat.dl_

d:\jon's pc\Monsterkill\Installers\Legion\COMCTL32.OC_

d:\jon's pc\Monsterkill\Installers\Legion\COMDLG32.OC_

d:\jon's pc\Monsterkill\Installers\Legion\Ctl3d32.dl_

d:\jon's pc\Monsterkill\Installers\Legion\Legion.ex_

d:\jon's pc\Monsterkill\Installers\Legion\MSVBVM50.dl_

d:\jon's pc\Monsterkill\Installers\Legion\OleAut32.dl_

d:\jon's pc\Monsterkill\Installers\Legion\OlePro32.dl_

d:\jon's pc\Monsterkill\Installers\Legion\README.tx_

d:\jon's pc\Monsterkill\Installers\Legion\scandll2.dl_

d:\jon's pc\Monsterkill\Installers\Legion\SETUP.EXE

d:\jon's pc\Monsterkill\Installers\Legion\SETUP.LST

d:\jon's pc\Monsterkill\Installers\Legion\setup1.ex_

d:\jon's pc\Monsterkill\Installers\Legion\ST5UNST.EX_

d:\jon's pc\Monsterkill\Installers\Legion\StdOle2.tl_

d:\jon's pc\Monsterkill\Installers\Legion\VB5StKit.dl_

d:\program files\Legion

d:\program files\Legion\APIGID32.DLL

d:\program files\Legion\Legion.exe

d:\program files\Legion\README.txt

d:\program files\Legion\scandll2.dll

d:\program files\Legion\ST5UNST.LOG

e:\programs\legion

e:\programs\legion.zip

e:\programs\legion\APIGID32.DL_

e:\programs\legion\AsycFilt.dl_

e:\programs\legion\BruteForce.ex_

e:\programs\legion\Chrono.dl_

e:\programs\legion\ComCat.dl_

e:\programs\legion\COMCTL32.OC_

e:\programs\legion\COMDLG32.OC_

e:\programs\legion\Ctl3d32.dl_

e:\programs\legion\Legion.ex_

e:\programs\legion\MSVBVM50.dl_

e:\programs\legion\NetTools.ex_

e:\programs\legion\OleAut32.dl_

e:\programs\legion\OlePro32.dl_

e:\programs\legion\README.tx_

e:\programs\legion\scandll2.dl_

e:\programs\legion\SETUP.EXE

e:\programs\legion\SETUP.LST

e:\programs\legion\setup1.ex_

e:\programs\legion\ST5UNST.EX_

e:\programs\legion\StdOle2.tl_

e:\programs\legion\VB5StKit.dl_

e:\programs\melgibs.rar

e:\programs\Nero.zip

.

((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 )))))))))))))))))))))))))))))))

.

2009-06-05 08:52 . 2009-06-05 08:52 -------- d-----w- e:\program files\Safer Networking

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration

2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe

2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll

2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe

2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll

2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll

2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe

2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll

2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll

2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM

2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader

2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER

2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll

2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira

2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro

2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes

2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware

2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph

2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy

2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security

2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware

2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-05 09:34 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain

2009-06-05 00:38 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper

2009-06-04 23:12 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II

2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire

2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple

2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe

2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat

2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx

2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf

2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire

2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys

2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe

2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat

2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent

2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll

2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll

2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player

2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information

2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player

2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy

2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy

2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat

2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll

2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll

2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll

2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr

2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe

2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys

2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat

+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat

+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys

+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys

+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys

- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll

+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll

- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe

+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe

+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe

- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll

+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll

+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll

+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe

+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe

+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll

+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]

"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]

"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]

"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]

"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]

"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]

c:\documents and settings\Jon\Start Menu\Programs\Startup\

Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]

VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnk

backup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk

backup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnk

backup=c:\windows\pss\Folding@Home 5.03.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnk

backup=c:\windows\pss\hamachi.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnk

backup=c:\windows\pss\Microsoft Office Groove.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk

backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnk

backup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk

backup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]

path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnk

backup=c:\windows\pss\RAR Password Cracker.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"vsmon"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=

"c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=

"c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"=

"e:\\Programs\\utorrent.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=

"c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=

"c:\\WINDOWS\\system32\\PnkBstrA.exe"=

"c:\\WINDOWS\\system32\\PnkBstrB.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"=

"c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=

"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=

"c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"=

"c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=

"c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=

"c:\\Program Files\\ICQ6\\ICQ.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

"c:\\Program Files\\MSN Messenger\\livecall.exe"=

"e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=

"e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"=

"e:\\Program Files\\Codemasters\\GRID\\GRID.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=

"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=

"e:\\Program Files\\Xfire\\Xfire.exe"=

"c:\\Program Files\\Valve\\Steam\\steam.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"e:\\Program Files\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"5353:TCP"= 5353:TCP:Adobe CSI CS4

R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]

R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]

R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]

S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]

S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]

S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]

S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]

--- Other Services/Drivers In Memory ---

*Deregistered* - Themes

*Deregistered* - TrkWks

*Deregistered* - W32Time

*Deregistered* - WebClient

*Deregistered* - winmgmt

*Deregistered* - wscsvc

*Deregistered* - wuauserv

*Deregistered* - WUSB54GCSVC

*Deregistered* - WZCSVC

.

Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job

- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm

IE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dll

DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

FF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

---- FIREFOX POLICIES ----

FF - user.js: capability.policy.policynames - localfilelinks

FF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.uk

FF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-05 11:00

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37,

be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\

"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49

[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]

"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9,

45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\

"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1204)

e:\program files\SUPERAntiSpyware\SASWINLO.dll

.

Completion time: 2009-06-05 11:02

ComboFix-quarantined-files.txt 2009-06-05 10:02

ComboFix2.txt 2009-06-04 20:44

ComboFix3.txt 2009-05-27 00:28

Pre-Run: 15,478,140,928 bytes free

Post-Run: 15,407,984,640 bytes free

359 --- E O F --- 2009-05-16 01:00

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:16:51, on 05/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

E:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

E:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\System32\svchost.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

O4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exe

O4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exe

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm

O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)

O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe

--

End of file - 10115 bytes

Link to post
Share on other sites

Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).

Are they running fine now?

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:

  • Delete ComboFix and Clean Up

    Click Start > Run > type combofix /u > OK (Note the space between combofix and /u)

    CF_Cleanup.png

    Please advise if this step is missed for any reason as it performs some important actions.

    OTC

    Download

OTC by Old Timer and save it to your Desktop.

  • Double-click OTC.exe

  • Click the CleanUp! button

  • Select Yes when the Begin cleanup Process? Prompt appears

  • If you are prompted to Reboot during the cleanup, select Yes

  • The tool will delete itself once it finishes, if not delete it by yourself

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

Protection Programs

Don't forget to re-enable any protection programs we disabled during your fix.

You can now re-enable XXXXXXXXXXXXX

General Security and Computer Health

Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Make sure that you keep your antivirus updated

    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.

    NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office

    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.

    NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs

    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.

  • Make Internet Explorer More Secure

    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE

Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol

    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • SpywareBlaster

    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

  • Malwarebytes' Anti-Malware

    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.

  • Hosts File

    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

  • Use an alternative Internet Browser

    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or Opera

Here is a great article by miekiemoes How to prevent Malware.

Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

Happy surfing and stay clean!

Bio-Hazard

Link to post
Share on other sites

Yep I've read all this stuff and installed extra things that you mentioned. I'm glad you specifically pointed out the extremely outdated IE, seen as I never use it except for the IE only sites!

Everything is like it should be, and ComboFix only temporarily disabled those things I mentioned before so it seems :huh:

Many thanks for all the help!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.