Gigabeef Posted May 24, 2009 ID:83106 Share Posted May 24, 2009 I can see there have been a few people on here asking about this already. Same old story - started as a different infection and everything was removed by MBAM and Avira, except uacinit.dll which MBAM says needs to be removed by rebooting. I reboot and MBAM quarantines it, but a new copy is still in my system32 folder.Usually my MBAM log would say "-> delete on reboot" at the end, but last time my whole PC froze up so I just told it to cancel this time and give me the log.MBAM log:Malwarebytes' Anti-Malware 1.36Database version: 2175Windows 5.1.2600 Service Pack 324/05/2009 22:02:31mbam-log-2009-05-24 (22-02-30).txtScan type: Quick ScanObjects scanned: 87322Time elapsed: 1 minute(s), 21 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.HijackThis Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 21:54:50, on 24/05/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeE:\Program Files\Avira\AntiVir Desktop\sched.exeE:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\cisvc.exeE:\Program Files\Cisco Systems\VPN Client\cvpnd.exeE:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\System32\svchost.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeE:\Program Files\iTunesHelper.exeE:\Program Files\Razer\Copperhead\razerhid.exeC:\WINDOWS\system32\RUNDLL32.EXEE:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeE:\Program Files\Razer\Copperhead\razertra.exeE:\Program Files\Razer\Copperhead\razerofa.exeC:\program files\valve\steam\steam.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exeE:\Program Files\Spybot - Search & Destroy\TeaTimer.exeE:\Program Files\Launchy\Launchy.exeC:\Program Files\iPod\bin\iPodService.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exeC:\WINDOWS\system32\cidaemon.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeE:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clearO4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [spybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exeO4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htmO8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cabO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeO23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe--End of file - 12028 bytes Link to post Share on other sites More sharing options...
Bio-Hazard Posted May 26, 2009 ID:83655 Share Posted May 26, 2009 Hello and Welcome to forums! My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.Please observe these rules while we work:I will be working on your Malware issues this may or may not solve other issues you have with your machine.The fixes are specific to your problem and should only be used for this issue on this machine.I f you don't know or understand something please don't hesitate to ask.Please DO NOT run any other tools or scans whilst I am helping you.It is important that you reply to this thread. Do not start a new topic.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.Absence of symptoms does not mean that everything is clear.No Reply Within 5 Days Will Result In Your Topic Being Closed!!Download and Run ComboFixDownload ComboFix from one of these locations:Link 1Link 2Link 3Here you can find a tutorial about Combofix: HOW TO USE COMBOFIXYou must download it to and run it from your DesktopComboFix SHOULD NOT be used unless requested by a forum helper.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HEREDouble click on ComboFix.exe and follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.[*]Do not mouseclick combofix's window whilst it's running. That may cause it to stall.[*]Combofix should never take more that 20 minutes including the reboot if malware is detected.IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.Next ReplyPlease reply with:ComboFix log (found at C:\Combofix.txt)New HijackThis log Link to post Share on other sites More sharing options...
Gigabeef Posted May 27, 2009 Author ID:83750 Share Posted May 27, 2009 Hi, thanks for the input! I have done as you asked.ComboFix log:ComboFix 09-05-26.02 - Jon 27/05/2009 1:18.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3103 [GMT 1:00]Running from: c:\documents and settings\Jon\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.datc:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.datc:\windows\system32\drivers\npf.sysc:\windows\system32\drivers\UACyxdtaoehvdeatvb.sysc:\windows\system32\Packet.dllc:\windows\system32\pthreadVC.dllc:\windows\system32\UACaidfjdooinujyoc.dllc:\windows\system32\UACclvneoygutqmewy.dllc:\windows\system32\UACeljoejtvkhasbai.logc:\windows\system32\uacinit.dllc:\windows\system32\UACjlcbitxwkcrdexo.dllc:\windows\system32\UACmgrmyddwqcjsgln.datc:\windows\system32\UACqkkyajbaaluxbjr.logc:\windows\system32\UACrkdmloynavdhsph.dllc:\windows\system32\UACttuetnpxmlsjecg.dllc:\windows\system32\UACyeqynvavipfbkhu.logc:\windows\system32\WanPacket.dllc:\windows\system32\wpcap.dll----- BITS: Possible infected sites -----hxxp://softwaredownloadcentercom.com.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Service_UACd.sys-------\Legacy_NPF-------\Service_NPF((((((((((((((((((((((((( Files Created from 2009-04-27 to 2009-05-27 ))))))))))))))))))))))))))))))).2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w c:\documents and settings\Jon\Local Settings\Application Data\vdownloader2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w e:\program files\VDOWNLOADER2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w e:\program files\Avira2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w c:\documents and settings\All Users\Application Data\Avira2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w e:\program files\Trend Micro2009-05-19 13:55 . 2009-04-06 14:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys2009-05-19 13:54 . 2009-04-06 14:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w c:\documents and settings\Jon\Application Data\Malwarebytes2009-05-19 10:25 . 2009-05-19 13:55 -------- d-----w e:\program files\Malwarebytes' Anti-Malware2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes2009-05-19 08:17 . 2009-05-12 08:34 2051864 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcorex.dll2009-05-19 08:17 . 2009-05-12 08:34 354584 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgxch32.dll2009-05-19 08:17 . 2009-05-12 08:34 3288344 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\setup.exe2009-05-19 08:17 . 2009-05-12 08:34 424472 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwdwsc.dll2009-05-19 08:17 . 2009-05-12 08:34 312088 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll2009-05-19 08:17 . 2009-05-12 08:34 177432 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmail.dll2009-05-19 08:17 . 2009-05-12 08:34 486168 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe2009-05-19 08:17 . 2009-05-12 08:34 755992 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll2009-05-19 08:17 . 2009-05-12 08:34 1437464 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w e:\program files\Graph2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w e:\program files\Spybot - Search & Destroy2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w e:\program files\Panda Security2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w e:\program files\SUPERAntiSpyware2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com2009-05-17 16:49 . 2009-05-12 08:34 2302232 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avguiadv.dll2009-05-17 16:49 . 2009-05-12 08:34 3399960 ----a-w c:\documents and settings\All Users\Application Data\avg8\update\backup\avgui.exe2009-04-29 21:19 . 2009-04-29 21:19 41808 ----a-w c:\windows\system32\xfcodec.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-05-27 00:25 . 2009-03-27 16:45 -------- d-----w c:\documents and settings\Jon\Application Data\nView_Wallpaper2009-05-27 00:04 . 2008-01-24 23:07 -------- d-s---w e:\program files\Xfire2009-05-26 23:57 . 2007-03-07 22:03 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-05-26 23:37 . 2007-03-07 21:03 -------- d-----w c:\documents and settings\Jon\Application Data\Xfire2009-05-26 21:16 . 2007-10-17 13:30 64 ----a-w c:\windows\popcinfot.dat2009-05-26 19:34 . 2007-03-12 21:15 10254 ----a-w c:\windows\system32\Fxxplfnt.tmp2009-05-26 16:04 . 2008-05-15 07:22 -------- d-----w e:\program files\Diablo II2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w e:\program files\Cain2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w c:\program files\Common Files\Wise Installation Wizard2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w c:\windows\system32\PnkBstrB.exe2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w c:\documents and settings\All Users\Application Data\TEMP2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help2009-05-12 08:34 . 2008-05-05 11:35 11952 ----a-w c:\windows\system32\avgrsstx.dll2009-05-12 08:34 . 2008-05-05 11:35 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys2009-05-12 08:34 . 2007-03-07 22:52 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys2009-05-12 08:34 . 2008-05-05 11:35 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w c:\windows\system32\nvModes.dat2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w c:\documents and settings\Jon\Application Data\uTorrent2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w c:\windows\system32\xlive.dll2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w c:\windows\system32\xlivefnt.dll2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w e:\program files\NDSROM Player2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w e:\program files\InstallShield Installation Information2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet2009-04-10 21:12 . 2007-03-09 20:11 -------- d-----w c:\program files\Common Files\Adobe2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w e:\program files\Adobe Media Player2009-04-10 21:07 . 2009-04-10 21:07 -------- d-----w c:\program files\Common Files\Adobe AIR2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w c:\program files\Common Files\Macrovision Shared2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w c:\documents and settings\All Users\Application Data\TrackMania2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w c:\documents and settings\Jon\Application Data\Launchy2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w e:\program files\Launchy2009-03-31 18:30 . 2007-07-22 15:31 -------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w c:\documents and settings\Jon\jagex_runescape_preferences.dat2009-03-29 12:19 . 2007-03-07 22:35 -------- d-----w c:\documents and settings\Jon\Application Data\Skype2009-03-28 13:35 . 2009-03-28 13:35 -------- d-----w c:\documents and settings\All Users\Application Data\Codemasters2009-03-28 12:48 . 2009-03-28 12:48 -------- d-----w e:\program files\OpenAL2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w c:\windows\system32\wrap_oal.dll2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w c:\windows\system32\OpenAL32.dll2009-03-28 12:33 . 2009-03-28 12:33 -------- d-----w e:\program files\Codemasters2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w c:\windows\mickey32.dll2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w c:\windows\Matrix Code.scr2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w c:\windows\Matrix Code.exe2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w c:\windows\system32\drivers\AegisP.sys2009-03-06 14:22 . 2003-03-31 12:00 284160 ----a-w c:\windows\system32\pdh.dll2009-03-05 16:44 . 2007-09-30 22:16 75064 ----a-w c:\windows\system32\PnkBstrA.exe2009-03-03 00:18 . 2006-06-23 11:33 826368 ----a-w c:\windows\system32\wininet.dll2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w e:\program files\MSSetup.exe2008-10-01 17:57 . 2008-10-01 17:57 289576 ----a-w e:\program files\iTunesHelper.exe2008-10-01 17:57 . 2008-10-01 17:57 283136 ----a-w e:\program files\iTunesOutlookAddIn.dll2008-10-01 17:57 . 2008-10-01 17:57 172544 ----a-w e:\program files\iTunesPhotoSupport.dll2008-10-01 17:57 . 2008-10-01 17:57 132392 ----a-w e:\program files\iTunesMiniPlayer.dll2008-10-01 17:57 . 2008-10-01 17:57 108328 ----a-w e:\program files\iTunesAdmin.dll2008-10-01 17:57 . 2008-10-01 17:57 14258472 ----a-w e:\program files\iTunes.exe2008-10-01 17:57 . 2008-10-01 17:57 111912 ----a-w e:\program files\ITDetector.ocx2008-10-01 17:57 . 2008-10-01 17:57 643072 ----a-w e:\program files\iPodUpdaterExt.dll2008-10-01 17:57 . 2008-10-01 17:57 438272 ----a-w e:\program files\CDDBControlApple.dll2008-10-01 17:56 . 2008-10-01 17:56 8356 ----a-w e:\program files\Acknowledgements.rtf.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-12 1947928]"iTunesHelper"="e:\program files\iTunesHelper.exe" [2008-10-01 289576]"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 ----a-w e:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-05-12 08:34 11952 ----a-w c:\windows\system32\avgrsstx.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnkbackup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnkbackup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnkbackup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnkbackup=c:\windows\pss\Folding@Home 5.03.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnkbackup=c:\windows\pss\hamachi.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnkbackup=c:\windows\pss\Microsoft Office Groove.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnkbackup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnkbackup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnkbackup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnkbackup=c:\windows\pss\RAR Password Cracker.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"vsmon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusDisableNotify"=dword:00000001"UpdatesDisableNotify"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"="e:\\Programs\\utorrent.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"="c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="c:\\Program Files\\ICQ6\\ICQ.exe"="c:\\Program Files\\AVG\\AVG8\\avgupd.exe"="c:\\Program Files\\AVG\\AVG8\\avgemc.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="e:\\Program Files\\iTunes.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"="e:\\Program Files\\Codemasters\\GRID\\GRID.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [05/05/2008 12:35 325896]R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [05/05/2008 12:35 108552]R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/07/2008 15:03 908568]R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/07/2008 15:03 298776]R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408].Contents of the 'Scheduled Tasks' folder2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43].- - - - ORPHANS REMOVED - - - -SafeBoot-procexp90.Sys.------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localIE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htmIE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dllDPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cabFF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dllFF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dllFF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\Adobe\Reader 8.0\Reader\browser\nppdf32.dllFF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dllFF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dllFF - plugin: c:\windows\system32\DNAML\npdbplug.dllFF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dllFF - plugin: e:\program files\Mozilla Plugins\npitunes.dll---- FIREFOX POLICIES ----FF - user.js: capability.policy.policynames - localfilelinksFF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.ukFF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-05-27 01:24Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37, be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9, 45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1212)e:\program files\SUPERAntiSpyware\SASWINLO.dll- - - - - - - > 'explorer.exe'(240)c:\windows\system32\nview.dllc:\windows\system32\NVWRSENG.DLLc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dll.------------------------ Other Running Processes ------------------------.c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Bonjour\mDNSResponder.exee:\program files\Cisco Systems\VPN Client\cvpnd.exee:\program files\Java\jre6\bin\jqs.exec:\program files\NVIDIA Corporation\nTune\nTuneService.exec:\windows\system32\nvsvc32.exec:\windows\system32\PnkBstrA.exec:\windows\system32\PnkBstrB.exec:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exee:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exec:\program files\AVG\AVG8\avgrsx.exec:\progra~1\AVG\AVG8\avgnsx.exee:\program files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exec:\program files\AVG\AVG8\avgcsrvx.exec:\windows\system32\rundll32.exec:\windows\system32\rundll32.exec:\windows\system32\wscntfy.exee:\program files\Razer\Copperhead\razertra.exee:\program files\Razer\Copperhead\razerofa.exec:\program files\iPod\bin\iPodService.exe.**************************************************************************.Completion time: 2009-05-27 1:28 - machine was rebootedComboFix-quarantined-files.txt 2009-05-27 00:28Pre-Run: 14,909,480,960 bytes freePost-Run: 15,217,524,736 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS[operating systems]d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect380 --- E O F --- 2009-05-16 01:00New Hijackthis log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 01:30:35, on 27/05/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeE:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeE:\Program Files\Cisco Systems\VPN Client\cvpnd.exeE:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeC:\WINDOWS\System32\svchost.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\PROGRA~1\AVG\AVG8\avgnsx.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exeC:\PROGRA~1\AVG\AVG8\avgemc.exeC:\Program Files\AVG\AVG8\avgcsrvx.exeC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeE:\Program Files\iTunesHelper.exeE:\Program Files\Razer\Copperhead\razerhid.exeC:\WINDOWS\system32\RUNDLL32.EXEE:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wscntfy.exeE:\Program Files\Razer\Copperhead\razertra.exeE:\Program Files\Razer\Copperhead\razerofa.exeC:\program files\valve\steam\steam.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Program Files\iPod\bin\iPodService.exeE:\Program Files\Launchy\Launchy.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeE:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clearO4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exeO4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htmO8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cabO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exeO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exeO23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe--End of file - 11364 bytes Link to post Share on other sites More sharing options...
Bio-Hazard Posted May 27, 2009 ID:84094 Share Posted May 27, 2009 P2P Warning!uTorrentI understand that downloading music and other files may be important to you; however, the P2P programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection over the internet, so your computer becomes a part of the malware problem.Remember that no matter how clean the program you're using for peer-to-peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via p2p filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., copyrighted material, pirated software, and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.An often unanticipated and unintended consequence of using p2p programs is that you may be leaving your computer open to access by others without either your knowledge or consent. This is how you can uninstall it/them:Click StartGo to Control PanelGo to Add/Remove ProgramsFind and click Remove for the following (if present):uTorrentNOTE: Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program.If you wish to keep them, you MUST NOT use them until your computer is clean.Remove one of your Anti Virus programs.You are operating multiple Anti Virus programs on your computer:Avira and AVG8It is NOT safe to have more than one anti-virus installed on a system, and that doing so not only does not provide better protection, it will actually cause additional problems. Anti-virus programs patch into the system kernel. Having more than one anti-virus patching into the system kernel will not only destabilize a system, it can corrupt system files and it WILL cause crashes! You MUST remove all but one anti-virus program. Remove HijackThis entriesRun HijackThisClick on the Scan buttonPut a check beside all of the items listed below (if present):O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXEClose all open windows and browsers/email etc...Click on the Fix Checked buttonWhen completed close the application.OTMDownload OTM by Old Timer and save it to your Desktop.Double-click OTM.exe to run it.Copy the lines in the codebox below.:Processesexplorer.exe:Filesc:\windows\system32\Fxxplfnt.tmp:Commands[emptytemp][start explorer][Reboot]Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.Click the red Moveit! button.OTM may ask to reboot the machine. Please do so if asked.Copy everything in the Results window (under the green bar), and paste it in your next reply.Close OTMKaspersky Online ScanPlease go to Kaspersky website and perform an online antivirus scan.Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programsArchives[*]Click on My Computer under Scan.[*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Please post this log in your next reply along with a fresh HijackThis log.Logs/Information to Post in Next ReplyPlease post the following logs/Information in your reply:OTM LogKaspersky LogA fresh HijackThis Log ( after all the above has been done)A description of how your computer is behaving Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 1, 2009 Root Admin ID:85460 Share Posted June 1, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted June 2, 2009 Root Admin ID:85955 Share Posted June 2, 2009 Post reopened at user request. Link to post Share on other sites More sharing options...
Gigabeef Posted June 2, 2009 Author ID:85981 Share Posted June 2, 2009 Ok sorry I took a while, but the Kapersky scan took about 10 hours and as soon as I was too impatient something happened to stop it, so I had to find time to get 10 hours straight. I removed AVG (as it has been totally useless in this whole thing) and I'm not even able to use any p2p software at all at University, so that isn't an issue.I can't see any symptoms of any infection whatsoever though.Kapersky seems to have flagged all sorts of things though.Thanks! (oh and btw, what does OTM actually do?)OTM log:========== PROCESSES ==========Process explorer.exe killed successfully.========== FILES ==========c:\windows\system32\Fxxplfnt.tmp moved successfully.========== COMMANDS ==========File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV scheduled to be deleted on reboot.File delete failed. C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp scheduled to be deleted on reboot.User's Temp folder emptied.User's Internet Explorer cache folder emptied.File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm scheduled to be deleted on reboot.File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm scheduled to be deleted on reboot.File delete failed. C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.User's Temporary Internet Files folder emptied.Local Service Temp folder emptied.File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.Local Service Temporary Internet Files folder emptied.Network Service Temp folder emptied.Network Service Temporary Internet Files folder emptied.File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat scheduled to be deleted on reboot.File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_704.dat scheduled to be deleted on reboot.Windows Temp folder emptied.Java cache emptied.FireFox cache emptied.Opera cache emptied.Temp folders emptied.Explorer started successfullyOTM by OldTimer - Version 2.1.0.0 log created on 05292009_015153Files moved on Reboot...File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_CgZJibfKhgBkD7N not found!File C:\DOCUME~1\Jon\LOCALS~1\Temp\etilqs_Jcz7IoyS8ZFp5cV not found!C:\DOCUME~1\Jon\LOCALS~1\Temp\~DFDC1A.tmp moved successfully.C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\ZZN1R4WT\store_steampowered_com[1].htm moved successfully.C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\3ORQ1FJU\notifier_avira_com[1].htm moved successfully.File C:\WINDOWS\temp\Perflib_Perfdata_5d4.dat not found!File C:\WINDOWS\temp\Perflib_Perfdata_704.dat not found!Registry entries deleted on Reboot...Kapersky Log:KASPERSKY ONLINE SCANNER 7.0 REPORTTuesday, June 2, 2009Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)Kaspersky Online Scanner version: 7.0.26.13Program database last update: Monday, June 01, 2009 19:14:19Records in database: 2292339Scan settingsScan using the following database extendedScan archives yesScan mail databases yesScan area My ComputerA:\C:\D:\E:\F:\G:\H:\Scan statisticsFiles scanned 353173Threat name 17Infected objects 36Suspicious objects 0Duration of the scan 10:27:03File name Threat name Threats countC:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254697.sys Infected: Trojan.Win32.Agent.chly 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254698.dll Infected: Trojan.Win32.TDSS.acbv 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254699.dll Infected: Packed.Win32.Tdss.f 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254700.dll Infected: Packed.Win32.Tdss.f 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254701.dll Infected: Packed.Win32.Tdss.f 1 C:\System Volume Information\_restore{A702071B-0305-46F2-B1CA-DA8CD33B7829}\RP831\A0254702.dll Infected: Packed.Win32.Tdss.f 1 D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 D:\ISOs\Operating Systems\Linux\SuSE 10.0\SuSE 10.0 CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 D:\ISOs\Operating Systems\Linux\SuSE 9.3 Pro\SuSE 9.3 Pro CD1.iso Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 D:\Jon's PC\Monsterkill\Installers\Legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1 D:\Jon's PC\Monsterkill\Installers\Legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1 D:\Jon's PC\Monsterkill\Installers\Legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1 D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1 D:\Jon's PC\Monsterkill\Installers\Real VNC\vnc-4_1_1-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1 D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack 3.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2 D:\Jon's PC\Vista Transformation Pack\Vista Transformation Pack.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2 D:\Program Files\Legion\Legion.exe Infected: not-a-virus:NetTool.Win32.Legion.21 1 E:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.s 1 E:\Programs\legion\BruteForce.ex_ Infected: HackTool.Win32.BruteForce.a 1 E:\Programs\legion\Chrono.dl_ Infected: HackTool.Win32.BruteForce.d 1 E:\Programs\legion\Legion.ex_ Infected: not-a-virus:NetTool.Win32.Legion.21 1 E:\Programs\legion\NetTools.ex_ Infected: Trojan-PSW.Win32.Spion.c 1 E:\Programs\legion.zip Infected: Trojan-PSW.Win32.Spion.c 1 E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.a 1 E:\Programs\legion.zip Infected: HackTool.Win32.BruteForce.d 1 E:\Programs\legion.zip Infected: not-a-virus:NetTool.Win32.Legion.21 1 E:\Programs\melgibs.rar Infected: Trojan-Banker.Win32.Banker.afwk 1 E:\Programs\mirc621.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1 E:\Programs\Nero.zip Infected: Trojan.Win32.Agent.abek 1 E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1 E:\Programs\tightvnc-1.2.9-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1 E:\usb_multiboot_10\USB_MultiBoot_10\MULTI_CONTENT\wintools\othertools\ProduKey.exe Infected: not-a-virus:PSWTool.Win32.ProductKey.i 1 The selected area was scanned.HJT log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 20:15:30, on 02/06/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeE:\Program Files\Avira\AntiVir Desktop\sched.exeE:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\rundll32.exeE:\Program Files\iTunesHelper.exeE:\Program Files\Razer\Copperhead\razerhid.exeC:\WINDOWS\system32\RUNDLL32.EXEE:\Program Files\Avira\AntiVir Desktop\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exeE:\Program Files\Spybot - Search & Destroy\TeaTimer.exeE:\Program Files\Launchy\Launchy.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeE:\Program Files\Cisco Systems\VPN Client\cvpnd.exeE:\Program Files\Java\jre6\bin\jqs.exeE:\Program Files\Razer\Copperhead\razerofa.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\System32\svchost.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exeC:\Program Files\iPod\bin\iPodService.exeE:\Program Files\Razer\Copperhead\razertra.exeE:\PROGRA~1\FOXITS~1\FOXITR~1\FOXITR~1.EXEC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Program Files\Microsoft Office\Office12\EXCEL.EXEC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeE:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"O4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clearO4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - HKCU\..\Run: [spybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exeO4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exeO4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htmO8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cabO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe--End of file - 10982 bytes Link to post Share on other sites More sharing options...
Bio-Hazard Posted June 4, 2009 ID:86536 Share Posted June 4, 2009 Hello!Sorry for the delay.(oh and btw, what does OTM actually do?)We use it tp remove malware entries ir entries that are not needed. Disable TeatimerPlease disable Teatimer as it may interfere with the fix.If you have version 1.6, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.Click on Mode > Advanced Mode. When it prompts you, click Yes.On the left hand side, click on Tools.Check this box if it is not yet ticked: Resident.You will notice that Resident is now added under Tools. Click on Resident.Uncheck this box: Resident "TeaTimer" (Protection of over-all system settings) active.Exit Spybot Search & Destroy.Reboot your machine for the changes to take effect.Once your log is clean you can re-enable those settings in TeaTimer.OTMDouble-click OTM.exe to run it.Copy the lines in the codebox below.:Processesexplorer.exe :FilesD:\Jon's PC\Monsterkill\Installers\LegionD:\Program Files\LegionE:\Programs\legionE:\Programs\legion.zipE:\Programs\melgibs.rarE:\Programs\Nero.zip :Commands[emptytemp][start explorer][Reboot]Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.Click the red Moveit! button.OTM may ask to reboot the machine. Please do so if asked.Copy everything in the Results window (under the green bar), and paste it in your next reply.Close OTMLogs/Information to Post in Next ReplyPlease post the following logs/Information in your reply:OTM logA fresh HijackThis Log ( after all the above has been done)A description of how your computer is behaving Link to post Share on other sites More sharing options...
Gigabeef Posted June 4, 2009 Author ID:86614 Share Posted June 4, 2009 For some reason, OTM won't run. It starts a process at 50% CPU but never actually gets anywhere. I re-downloaded a fresh copy and tried renaming it but neither of those worked. Link to post Share on other sites More sharing options...
Bio-Hazard Posted June 4, 2009 ID:86725 Share Posted June 4, 2009 Hello!If you still have Combofix on your computer, delete that version and download a new version from here:Link 1Link 2Link 3Here you can find a tutorial about Combofix: HOW TO USE COMBOFIXPlease run it and post a log for me to see. Link to post Share on other sites More sharing options...
Gigabeef Posted June 4, 2009 Author ID:86747 Share Posted June 4, 2009 Here it is:ComboFix 09-06-04.04 - Jon 04/06/2009 21:39.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3028 [GMT 1:00]Running from: c:\documents and settings\Jon\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}.((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 ))))))))))))))))))))))))))))))).2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire2009-06-04 20:31 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple2009-06-04 20:08 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II2009-06-04 18:15 . 2009-05-29 19:15 10254 ----a-w- c:\windows\system32\Fxxplfnt.tmp2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire2009-05-20 07:17 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe.((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 ))))))))))))))))))))))))))))))))))))))))).+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]c:\documents and settings\Jon\Start Menu\Programs\Startup\Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnkbackup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnkbackup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnkbackup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnkbackup=c:\windows\pss\Folding@Home 5.03.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnkbackup=c:\windows\pss\hamachi.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnkbackup=c:\windows\pss\Microsoft Office Groove.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnkbackup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnkbackup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnkbackup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnkbackup=c:\windows\pss\RAR Password Cracker.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"vsmon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"="e:\\Programs\\utorrent.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"="c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="c:\\Program Files\\ICQ6\\ICQ.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"="e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"="e:\\Program Files\\Codemasters\\GRID\\GRID.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"="e:\\Program Files\\Xfire\\Xfire.exe"="c:\\Program Files\\Valve\\Steam\\steam.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="e:\\Program Files\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408].Contents of the 'Scheduled Tasks' folder2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-06-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localIE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htmIE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dllDPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cabFF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dllFF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dllFF - plugin: c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dllFF - plugin: c:\program files\DivX\DivX Player\npDivxPlayerPlugin.dllFF - plugin: c:\program files\DivX\DivX Web Player\npdivx32.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin2.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin3.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin4.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin5.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin6.dllFF - plugin: c:\program files\QuickTime\Plugins\npqtplugin7.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dllFF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dllFF - plugin: c:\windows\system32\DNAML\npdbplug.dllFF - plugin: e:\program files\Dyyno\Dyyno Player\npvlc.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npdeploytk.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npdivx32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\npnul32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\nppdf32.dllFF - plugin: e:\program files\Mozilla Firefox\plugins\NPSWF32.dllFF - plugin: e:\program files\Mozilla Plugins\npitunes.dll---- FIREFOX POLICIES ----FF - user.js: capability.policy.policynames - localfilelinksFF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.ukFF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-04 21:42Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37, be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9, 45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1204)e:\program files\SUPERAntiSpyware\SASWINLO.dll- - - - - - - > 'explorer.exe'(3792)c:\windows\system32\nview.dllc:\windows\system32\NVWRSENG.DLLc:\windows\system32\WPDShServiceObj.dllc:\windows\system32\PortableDeviceTypes.dllc:\windows\system32\PortableDeviceApi.dllc:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll.Completion time: 2009-06-04 21:44ComboFix-quarantined-files.txt 2009-06-04 20:44ComboFix2.txt 2009-05-27 00:28Pre-Run: 15,497,240,576 bytes freePost-Run: 15,598,944,256 bytes free319 --- E O F --- 2009-05-16 01:00 Link to post Share on other sites More sharing options...
Bio-Hazard Posted June 5, 2009 ID:86918 Share Posted June 5, 2009 Run CFScriptClose any open browsers.Open Notepad by click startClick RunType notepad into the box and click enterNotepad will openCopy and Paste everything from the Code box into Notepad:File::c:\windows\system32\Fxxplfnt.tmpE:\Programs\legion.zipE:\Programs\melgibs.rarE:\Programs\Nero.zip Folder::D:\Jon's PC\Monsterkill\Installers\LegionD:\Program Files\LegionE:\Programs\legionSave this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txtNOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.Next ReplyPlease reply with:ComboFix log (found at C:\Combofix.txt)New HijackThis logA description of how your computer is behaving Link to post Share on other sites More sharing options...
Gigabeef Posted June 5, 2009 Author ID:86935 Share Posted June 5, 2009 There aren't any real problems with my computer in general. There are a few small things - I left it on overnight and in the morning each time I right clicked to bring up the menu, the buttons wouldn't appear until I had moved over the options with the mouse cursor.Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).Apart from that there is no loss in functionality and everything is running totally as normal.Combofix log:ComboFix 09-06-04.04 - Jon 05/06/2009 10:58.3 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.3582.3008 [GMT 1:00]Running from: c:\documents and settings\Jon\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Jon\Desktop\CFScript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}FILE ::"c:\windows\system32\Fxxplfnt.tmp""e:\programs\legion.zip""e:\programs\melgibs.rar""e:\programs\Nero.zip".((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\windows\system32\Fxxplfnt.tmpd:\jon's pc\Monsterkill\Installers\Legiond:\jon's pc\Monsterkill\Installers\Legion\APIGID32.DL_d:\jon's pc\Monsterkill\Installers\Legion\AsycFilt.dl_d:\jon's pc\Monsterkill\Installers\Legion\BruteForce.ex_d:\jon's pc\Monsterkill\Installers\Legion\Chrono.dl_d:\jon's pc\Monsterkill\Installers\Legion\ComCat.dl_d:\jon's pc\Monsterkill\Installers\Legion\COMCTL32.OC_d:\jon's pc\Monsterkill\Installers\Legion\COMDLG32.OC_d:\jon's pc\Monsterkill\Installers\Legion\Ctl3d32.dl_d:\jon's pc\Monsterkill\Installers\Legion\Legion.ex_d:\jon's pc\Monsterkill\Installers\Legion\MSVBVM50.dl_d:\jon's pc\Monsterkill\Installers\Legion\OleAut32.dl_d:\jon's pc\Monsterkill\Installers\Legion\OlePro32.dl_d:\jon's pc\Monsterkill\Installers\Legion\README.tx_d:\jon's pc\Monsterkill\Installers\Legion\scandll2.dl_d:\jon's pc\Monsterkill\Installers\Legion\SETUP.EXEd:\jon's pc\Monsterkill\Installers\Legion\SETUP.LSTd:\jon's pc\Monsterkill\Installers\Legion\setup1.ex_d:\jon's pc\Monsterkill\Installers\Legion\ST5UNST.EX_d:\jon's pc\Monsterkill\Installers\Legion\StdOle2.tl_d:\jon's pc\Monsterkill\Installers\Legion\VB5StKit.dl_d:\program files\Legiond:\program files\Legion\APIGID32.DLLd:\program files\Legion\Legion.exed:\program files\Legion\README.txtd:\program files\Legion\scandll2.dlld:\program files\Legion\ST5UNST.LOGe:\programs\legione:\programs\legion.zipe:\programs\legion\APIGID32.DL_e:\programs\legion\AsycFilt.dl_e:\programs\legion\BruteForce.ex_e:\programs\legion\Chrono.dl_e:\programs\legion\ComCat.dl_e:\programs\legion\COMCTL32.OC_e:\programs\legion\COMDLG32.OC_e:\programs\legion\Ctl3d32.dl_e:\programs\legion\Legion.ex_e:\programs\legion\MSVBVM50.dl_e:\programs\legion\NetTools.ex_e:\programs\legion\OleAut32.dl_e:\programs\legion\OlePro32.dl_e:\programs\legion\README.tx_e:\programs\legion\scandll2.dl_e:\programs\legion\SETUP.EXEe:\programs\legion\SETUP.LSTe:\programs\legion\setup1.ex_e:\programs\legion\ST5UNST.EX_e:\programs\legion\StdOle2.tl_e:\programs\legion\VB5StKit.dl_e:\programs\melgibs.rare:\programs\Nero.zip.((((((((((((((((((((((((( Files Created from 2009-05-05 to 2009-06-05 ))))))))))))))))))))))))))))))).2009-06-05 08:52 . 2009-06-05 08:52 -------- d-----w- e:\program files\Safer Networking2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\Mozilla Plugins2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesMiniPlayer.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunesHelper.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\iTunes.Resources2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-06-04 20:24 . 2009-06-04 20:24 -------- d-----w- e:\program files\CD Configuration2009-06-04 20:18 . 2009-06-04 20:18 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe2009-06-04 09:06 . 2009-06-04 09:06 -------- d-----w- c:\program files\Common Files\Adobe AIR2009-05-30 11:30 . 2009-05-30 11:30 265000 ----a-w- e:\program files\iTunesPhotoProcessor.exe2009-05-30 11:30 . 2009-05-30 11:30 384808 ----a-w- e:\program files\iTunesAdmin.dll2009-05-30 11:30 . 2009-05-30 11:30 292136 ----a-w- e:\program files\iTunesHelper.exe2009-05-30 11:30 . 2009-05-30 11:30 285184 ----a-w- e:\program files\iTunesOutlookAddIn.dll2009-05-30 11:30 . 2009-05-30 11:30 124200 ----a-w- e:\program files\iTunesMiniPlayer.dll2009-05-30 11:30 . 2009-05-30 11:30 14073640 ----a-w- e:\program files\iTunes.exe2009-05-30 11:30 . 2009-05-30 11:30 722160 ----a-w- e:\program files\CDDBControlApple.dll2009-05-30 11:30 . 2009-05-30 11:30 643072 ----a-w- e:\program files\iPodUpdaterExt.dll2009-05-29 00:51 . 2009-05-29 00:51 -------- d-----w- C:\_OTM2009-05-27 09:38 . 2009-05-27 09:38 3371383 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- c:\documents and settings\Jon\Local Settings\Application Data\vdownloader2009-05-24 18:53 . 2009-05-24 18:53 -------- d-----w- e:\program files\VDOWNLOADER2009-05-21 22:51 . 2009-05-21 22:51 41808 ----a-w- c:\windows\system32\xfcodec.dll2009-05-19 14:11 . 2009-03-30 09:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-05-19 14:11 . 2009-03-24 15:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-05-19 14:11 . 2009-02-13 11:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-05-19 14:11 . 2009-02-13 11:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- e:\program files\Avira2009-05-19 14:11 . 2009-05-19 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-05-19 14:09 . 2009-05-19 14:09 -------- d-----w- e:\program files\Trend Micro2009-05-19 13:55 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys2009-05-19 13:54 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-05-19 10:41 . 2009-05-19 10:41 -------- d-----w- c:\documents and settings\Jon\Application Data\Malwarebytes2009-05-19 10:25 . 2009-05-27 09:38 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware2009-05-19 10:25 . 2009-05-19 10:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes2009-05-18 17:44 . 2009-05-18 17:44 -------- d-----w- e:\program files\Graph2009-05-18 10:23 . 2009-05-19 11:43 -------- d-----w- e:\program files\Spybot - Search & Destroy2009-05-17 22:46 . 2009-05-19 11:31 -------- d-----w- e:\program files\Panda Security2009-05-17 20:29 . 2009-05-17 22:21 117760 ----a-w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL2009-05-17 20:28 . 2009-05-17 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-05-17 20:24 . 2009-05-17 20:28 -------- d-----w- e:\program files\SUPERAntiSpyware2009-05-17 20:24 . 2009-05-17 20:24 -------- d-----w- c:\documents and settings\Jon\Application Data\SUPERAntiSpyware.com.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-05 09:34 . 2008-12-31 00:00 -------- d-----w- e:\program files\Cain2009-06-05 00:38 . 2009-03-27 16:45 -------- d-----w- c:\documents and settings\Jon\Application Data\nView_Wallpaper2009-06-04 23:12 . 2008-05-15 07:22 -------- d-----w- e:\program files\Diablo II2009-06-04 20:32 . 2007-03-07 21:03 -------- d-----w- c:\documents and settings\Jon\Application Data\Xfire2009-06-04 20:24 . 2007-12-25 13:20 -------- d-----w- c:\program files\Common Files\Apple2009-06-04 10:09 . 2007-03-07 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy2009-06-04 09:05 . 2007-03-09 20:11 -------- d-----w- c:\program files\Common Files\Adobe2009-06-01 18:53 . 2007-10-17 13:30 64 ----a-w- c:\windows\popcinfot.dat2009-05-30 11:30 . 2009-05-30 11:30 111912 ----a-w- e:\program files\ITDetector.ocx2009-05-30 11:30 . 2009-05-30 11:30 8356 ----a-w- e:\program files\Acknowledgements.rtf2009-05-28 17:31 . 2008-01-24 23:07 -------- d-s---w- e:\program files\Xfire2009-05-18 17:25 . 2007-03-08 07:11 75584 ----a-w- c:\documents and settings\Jon\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-05-17 20:24 . 2007-10-19 12:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-05-15 00:31 . 2007-09-30 22:17 138920 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-05-15 00:31 . 2007-09-30 22:16 189072 ----a-w- c:\windows\system32\PnkBstrB.exe2009-05-15 00:28 . 2008-11-13 17:56 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-05-13 18:49 . 2008-06-22 15:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help2009-05-04 11:37 . 2009-03-27 10:20 8 ----a-w- c:\windows\system32\nvModes.dat2009-04-22 22:47 . 2007-04-29 12:49 -------- d-----w- c:\documents and settings\Jon\Application Data\uTorrent2009-04-21 23:20 . 2009-04-21 23:20 14311680 ----a-w- c:\windows\system32\xlive.dll2009-04-21 23:20 . 2009-04-21 23:20 13642496 ----a-w- c:\windows\system32\xlivefnt.dll2009-04-20 23:00 . 2009-04-20 23:00 -------- d-----w- e:\program files\NDSROM Player2009-04-11 02:14 . 2008-01-30 15:49 -------- d--h--w- e:\program files\InstallShield Installation Information2009-04-10 21:20 . 2009-04-10 21:20 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet2009-04-10 21:11 . 2009-04-10 21:11 -------- d-----w- e:\program files\Adobe Media Player2009-04-10 21:01 . 2009-04-10 21:01 -------- d-----w- c:\program files\Common Files\Macrovision Shared2009-04-10 20:45 . 2008-04-28 15:13 -------- d-----w- c:\documents and settings\All Users\Application Data\TrackMania2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- c:\documents and settings\Jon\Application Data\Launchy2009-04-09 17:53 . 2009-04-09 17:53 -------- d-----w- e:\program files\Launchy2009-03-30 18:22 . 2009-03-30 18:18 34 ----a-w- c:\documents and settings\Jon\jagex_runescape_preferences.dat2009-03-28 12:48 . 2007-03-27 17:18 444952 ----a-w- c:\windows\system32\wrap_oal.dll2009-03-28 12:48 . 2007-03-27 17:18 109080 ----a-w- c:\windows\system32\OpenAL32.dll2009-03-27 18:08 . 2009-03-27 18:08 29696 ----a-w- c:\windows\mickey32.dll2009-03-27 18:08 . 2009-03-27 18:08 232784 ----a-w- c:\windows\Matrix Code.scr2009-03-27 18:08 . 2009-03-27 18:08 2285222 ----a-w- c:\windows\Matrix Code.exe2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys2009-03-19 15:32 . 2008-01-29 11:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys2009-03-14 20:50 . 2009-03-14 20:50 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys2009-01-31 17:59 . 2009-01-31 17:59 1112041813 ----a-w- e:\program files\MSSetup.exe.((((((((((((((((((((((((((((( SnapShot@2009-05-27_00.24.21 ))))))))))))))))))))))))))))))))))))))))).+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_370.dat+ 2009-06-04 20:30 . 2009-06-04 20:30 16384 c:\windows\Temp\Perflib_Perfdata_358.dat+ 2009-06-04 20:20 . 2009-05-29 12:36 39424 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaapl.sys+ 2009-06-04 20:20 . 2009-05-29 12:36 17408 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\netaapl.sys+ 2009-06-04 20:24 . 2009-03-19 15:32 23400 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspiWDM.sys- 2008-08-29 08:53 . 2008-08-29 08:53 61440 c:\windows\system32\dnssd.dll+ 2008-12-12 10:11 . 2008-12-12 10:11 61440 c:\windows\system32\dnssd.dll- 2008-08-29 09:18 . 2008-08-29 09:18 87336 c:\windows\system32\dns-sd.exe+ 2008-12-12 10:18 . 2008-12-12 10:18 87336 c:\windows\system32\dns-sd.exe+ 2009-06-04 20:16 . 2009-06-04 20:16 86016 c:\windows\Installer\{07287123-B8AC-41CE-8346-3D777245C35B}\PrntWzrdIco.exe- 2008-01-29 11:02 . 2008-04-17 12:12 107368 c:\windows\system32\GEARAspi.dll+ 2008-01-29 11:02 . 2008-04-17 11:12 107368 c:\windows\system32\GEARAspi.dll+ 2009-06-04 20:24 . 2008-04-17 11:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_F475AF659D36685632E9BD97B57E9D9661FF3FFD\x86\GEARAspi.dll+ 2009-06-04 20:25 . 2009-06-04 20:25 102400 c:\windows\Installer\{CC5702D7-86E2-45A8-99D7-E8B976ADCC56}\iTunesIco.exe+ 2009-06-04 20:17 . 2009-06-04 20:17 307200 c:\windows\Installer\{9C48DCA4-00C2-449C-88D8-B1EE1692B44F}\SafariIco.exe+ 2009-06-04 20:20 . 2009-05-29 12:36 2060288 c:\windows\system32\DRVSTORE\usbaapl_872A2434B7205D4BD84BBE53811BDCE15F347D5B\usbaaplrc.dll+ 2009-06-04 20:20 . 2009-05-29 12:36 1419232 c:\windows\system32\DRVSTORE\netaapl_F433E854B3FF3BEE74986FDE8E16A64162342BFF\wdfcoinstaller01005.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]"Steam"="c:\program files\valve\steam\steam.exe" [2009-05-19 1217784]"Google Update"="c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-18 13680640]"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-05-25 1953792]"Copperhead"="e:\program files\Razer\Copperhead\razerhid.exe" [2005-11-25 155648]"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-18 86016]"avgnt"="e:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472]"iTunesHelper"="e:\program files\iTunesHelper.exe" [2009-05-30 292136]"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-18 1657376]"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-07-05 16380416]c:\documents and settings\Jon\Start Menu\Programs\Startup\Xfire.lnk - e:\program files\Xfire\Xfire.exe [2009-5-21 3171664]c:\documents and settings\All Users\Start Menu\Programs\Startup\Launchy.lnk - e:\program files\Launchy\Launchy.exe [2009-4-9 286720]VPN Client.lnk - c:\windows\Installer\{4C271126-C295-4828-A901-5910AE0C258B}\Icon3E5562ED7.ico [2009-1-2 6144][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]"NoSMHelp"= 01000000[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "e:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 ----a-w- e:\program files\SUPERAntiSpyware\SASWINLO.dll[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnkbackup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoUpdate Monitor.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoUpdate Monitor.lnkbackup=c:\windows\pss\AutoUpdate Monitor.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnkbackup=c:\windows\pss\Run Google Web Accelerator.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Folding@Home 5.03.lnkbackup=c:\windows\pss\Folding@Home 5.03.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^hamachi.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\hamachi.lnkbackup=c:\windows\pss\hamachi.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Microsoft Office Groove.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\Microsoft Office Groove.lnkbackup=c:\windows\pss\Microsoft Office Groove.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnkbackup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.1.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.1.lnkbackup=c:\windows\pss\OpenOffice.org 2.1.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^OpenOffice.org 2.2.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnkbackup=c:\windows\pss\OpenOffice.org 2.2.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^RAR Password Cracker.lnk]path=c:\documents and settings\Jon\Start Menu\Programs\Startup\RAR Password Cracker.lnkbackup=c:\windows\pss\RAR Password Cracker.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"vsmon"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"="c:\\Program Files\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"="c:\\Program Files\\EA Games\\Battlefield 2\\BF2.exe"="e:\\Programs\\utorrent.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_online.exe"="c:\\Program Files\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqwded.exe"="c:\\Program Files\\id Software\\Enemy Territory - QUAKE Wars\\etqw.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"="c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"="c:\\Program Files\\Empire Interactive\\Strangelite\\Starship Troopers\\STGame.exe"="c:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"="c:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"="c:\\Program Files\\ICQ6\\ICQ.exe"="c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="c:\\Program Files\\MSN Messenger\\msnmsgr.exe"="c:\\Program Files\\MSN Messenger\\livecall.exe"="e:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"="e:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForever.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\trackmania nations forever\\TmForeverLauncher.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\bioshock\\Builds\\Release\\Bioshock.exe"="e:\\Program Files\\Codemasters\\GRID\\GRID.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"="c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"="c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\plants vs zombies\\PlantsVsZombies.exe"="e:\\Program Files\\Xfire\\Xfire.exe"="c:\\Program Files\\Valve\\Steam\\steam.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="e:\\Program Files\\iTunes.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"5353:TCP"= 5353:TCP:Adobe CSI CS4R1 SASDIFSV;SASDIFSV;e:\program files\SUPERAntiSpyware\sasdifsv.sys [14/05/2009 14:22 9968]R1 SASKUTIL;SASKUTIL;e:\program files\SUPERAntiSpyware\SASKUTIL.SYS [14/05/2009 14:22 72944]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;e:\program files\Avira\AntiVir Desktop\sched.exe [19/05/2009 15:11 108289]R3 UsbFltr;%SvcDisplayName%;c:\windows\system32\drivers\copperhd.sys [25/02/2008 17:18 11596]S2 CiscoVpnInstallService;Cisco Systems, Inc. Installer service;c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE --> c:\docume~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE [?]S3 cpuz;cpuz;\??\c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys --> c:\docume~1\Jon\LOCALS~1\Temp\cpuz.sys [?]S3 Razerlow;Razer Copperhead Driver;c:\windows\system32\drivers\Razerlow.sys [07/03/2007 21:38 19020]S3 SASENUM;SASENUM;e:\program files\SUPERAntiSpyware\SASENUM.SYS [14/05/2009 14:22 7408]--- Other Services/Drivers In Memory ---*Deregistered* - Themes*Deregistered* - TrkWks*Deregistered* - W32Time*Deregistered* - WebClient*Deregistered* - winmgmt*Deregistered* - wscsvc*Deregistered* - wuauserv*Deregistered* - WUSB54GCSVC*Deregistered* - WZCSVC.Contents of the 'Scheduled Tasks' folder2009-06-04 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]2009-06-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1078081533-1177238915-725345543-1004.job- c:\documents and settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 21:43]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localIE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htmIE: &Save Flash In This Page by Flash Saver - c:\progra~1\FLASHS~1\save.htmIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} - c:\program files\WinAVI FLV Converter\FLVTune.dllDPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxps://secure.gopetslive.com/dev/GoPetsWeb.cabFF - ProfilePath - c:\documents and settings\Jon\Application Data\Mozilla\Firefox\Profiles\lyluhf4c.default\FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/---- FIREFOX POLICIES ----FF - user.js: capability.policy.policynames - localfilelinksFF - user.js: capability.policy.localfilelinks.sites - hxxp://s1.travian.com http://s2.travian.com http://s3.travian.com http://s4.travian.com http://s5.travian.com http://s6.travian.com http://s7.travian.com http://s8.travian.com http://s9.travian.com http://s10.travian.com http://speed.travian.com http://s1.travian.us http://s2.travian.us http://s3.travian.us http://s4.travian.us http://s5.travian.us http://s6.travian.us http://s7.travian.us http://s8.travian.us http://s9.travian.us http://s10.travian.us http://speed.travian.us http://s1.travian.co.uk http://s2.travian.co.uk http://s3.travian.co.uk http://s4.travian.co.uk http://s5.travian.co.uk http://s6.travian.co.uk http://s7.travian.co.uk http://s8.travian.co.uk http://s9.travian.co.uk http://s10.travian.co.uk http://speed.travian.co.ukFF - user.js: capability.policy.localfilelinks.checkloaduri.enabled - allAccess.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-06-05 11:00Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]"??"=hex:1b,97,f7,36,1d,32,7f,c1,a9,e6,d8,3e,d3,6a,d4,60,87,c5,28,ac,bd,d6,37, be,b8,05,1f,5b,70,25,1b,44,53,3a,2b,11,6c,fb,c0,36,21,98,0d,68,9d,a0,cd,0a,\"??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49[HKEY_USERS\S-1-5-21-1078081533-1177238915-725345543-1004\Software\SecuROM\License information*]"datasecu"=hex:00,8d,86,a8,28,10,51,47,be,fe,54,c3,f9,54,d4,79,ee,8e,c8,41,a9, 45,08,99,89,de,3d,2f,34,9e,4b,dc,34,28,4d,80,1a,fe,16,fa,d2,1c,4c,ae,6e,c8,\"rkeysecu"=hex:01,86,db,5f,b7,b8,88,cd,4e,8c,80,c6,fe,ea,5d,8e.--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1204)e:\program files\SUPERAntiSpyware\SASWINLO.dll.Completion time: 2009-06-05 11:02ComboFix-quarantined-files.txt 2009-06-05 10:02ComboFix2.txt 2009-06-04 20:44ComboFix3.txt 2009-05-27 00:28Pre-Run: 15,478,140,928 bytes freePost-Run: 15,407,984,640 bytes free359 --- E O F --- 2009-05-16 01:00Hijackthis:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:16:51, on 05/06/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeE:\Program Files\Avira\AntiVir Desktop\sched.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeE:\Program Files\Cisco Systems\VPN Client\cvpnd.exeE:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\PnkBstrA.exeC:\WINDOWS\system32\PnkBstrB.exeC:\WINDOWS\System32\svchost.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exeE:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\iPod\bin\iPodService.exeE:\Program Files\Avira\AntiVir Desktop\avguard.exeC:\Program Files\Microsoft Office\Office12\OUTLOOK.EXEC:\WINDOWS\explorer.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeC:\Documents and Settings\Jon\Local Settings\Application Data\Google\Chrome\Application\chrome.exeE:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dllO2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre6\bin\ssv.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXEO4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exeO4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe bootO4 - HKLM\..\Run: [Copperhead] E:\Program Files\Razer\Copperhead\razerhid.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [avgnt] "E:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /minO4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exeO4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clearO4 - HKCU\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silentO4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /cO4 - Startup: Xfire.lnk = E:\Program Files\Xfire\Xfire.exeO4 - Global Startup: Launchy.lnk = E:\Program Files\Launchy\Launchy.exeO4 - Global Startup: VPN Client.lnk = ?O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htmO8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htmO9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\Program Files\WinAVI FLV Converter\FLVTune.dllO9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dllO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cabO16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cabO16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cabO16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1173299342609O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cabO16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cabO18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dllO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.dllO23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\sched.exeO23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - E:\Program Files\Avira\AntiVir Desktop\avguard.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\DOCUME~1\Jon\LOCALS~1\Temp\WZSE0.TMP\INSTAL~1.EXE (file missing)O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - E:\Program Files\Cisco Systems\VPN Client\cvpnd.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - E:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - E:\Program Files\WinPcap\rpcapd.exe (file missing)O23 - Service: WUSB54GCSVC - GEMTEKS - E:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe--End of file - 10115 bytes Link to post Share on other sites More sharing options...
Bio-Hazard Posted June 5, 2009 ID:86980 Share Posted June 5, 2009 Also, when combofix ran, it stopped a couple of things that it didn't before (such as launchy and part of the Razer mouse config).Are they running fine now?Your log now appears to be clean. Congratulations!You can get rid of the tools we used:Delete ComboFix and Clean UpClick Start > Run > type combofix /u > OK (Note the space between combofix and /u)Please advise if this step is missed for any reason as it performs some important actions.OTCDownload OTC by Old Timer and save it to your Desktop.Double-click OTC.exeClick the CleanUp! buttonSelect Yes when the Begin cleanup Process? Prompt appearsIf you are prompted to Reboot during the cleanup, select YesThe tool will delete itself once it finishes, if not delete it by yourselfNote: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.Protection ProgramsDon't forget to re-enable any protection programs we disabled during your fix.You can now re-enable XXXXXXXXXXXXXGeneral Security and Computer HealthBelow are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.Make sure that you keep your antivirus updatedNew viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.Security Updates for Windows, Internet Explorer & Microsoft OfficeWhenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.NOTE: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.Update Non-Microsoft ProgramsMicrosoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector or F-secure Health Check. I suggest that you run one of them at least once a month.Make Internet Explorer More SecureYou are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITERecommended ProgramsI would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.WinPatrolAs a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.SpywareBlasterSpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.Malwarebytes' Anti-MalwareMalwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. Here are two tutorials: Malwarebytes' Anti-Malware Setup Guide and Malwarebytes' Anti-Malware Scanning Guide.Hosts FileFor added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.Use an alternative Internet BrowserMany of the exploits are directed to users of Internet Explorer. Try using a different browser instead: Firefox or OperaHere is a great article by miekiemoes How to prevent Malware.Finally I am trying to make one point very clear. It is ABSOLUTELY ESSENTIAL to keep all of your security programs up to date.Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints. You need to be registered to post as, unfortunately, we were hit with too many spam posts to allow guest posting to continue. Just find your country room and register your complaint.I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.Happy surfing and stay clean!Bio-Hazard Link to post Share on other sites More sharing options...
Gigabeef Posted June 5, 2009 Author ID:86993 Share Posted June 5, 2009 Yep I've read all this stuff and installed extra things that you mentioned. I'm glad you specifically pointed out the extremely outdated IE, seen as I never use it except for the IE only sites!Everything is like it should be, and ComboFix only temporarily disabled those things I mentioned before so it seems Many thanks for all the help! Link to post Share on other sites More sharing options...
Recommended Posts