Inactive Multiple problems after clicking on BHO toolbar

TamoNeko · 2010/08/13

I can't see my last post so i'm sending it again

ComboFix 10-08-10.05 - Woolfer 13.08.2010 2:23.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.767.468 [GMT 2:00]
Running from: c:\documents and settings\Woolfer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Woolfer\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"c:\windows\system32\wmrqdl.dll "
.

((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-10 11:07 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 11:07 . 2010-08-10 11:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 11:07 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 15:10 . 2010-08-09 15:10 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-08-09 11:21 . 2010-08-09 11:21 -------- d-----w- C:\xpsp3
2010-08-08 12:44 . 1999-12-17 08:13 49664 ----a-w- c:\windows\unvise32.exe
2010-08-08 12:44 . 2010-08-08 12:44 -------- d-----w- c:\program files\Active Ports
2010-08-08 10:59 . 2010-08-08 10:59 -------- d-----w- c:\program files\Trend Micro
2010-08-08 10:37 . 2010-08-08 10:37 -------- d-----w- c:\documents and settings\Woolfer\Application Data\Malwarebytes
2010-08-08 10:36 . 2010-08-08 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 23:01 . 2010-08-02 23:01 503808 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\msvcp71.dll
2010-08-02 23:01 . 2010-08-02 23:01 499712 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\jmc.dll
2010-08-02 23:01 . 2010-08-02 23:01 348160 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\msvcr71.dll
2010-08-02 23:01 . 2010-08-02 23:01 61440 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cef6c9b-n\decora-sse.dll
2010-08-02 23:01 . 2010-08-02 23:01 12800 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cef6c9b-n\decora-d3d.dll
2010-07-30 16:02 . 2010-07-30 16:02 -------- d-----w- c:\program files\Google
2010-07-30 13:08 . 2010-07-31 08:32 -------- d-----w- c:\program files\Gish
2010-07-30 00:36 . 2010-07-30 00:36 7 ----a-w- c:\windows\Winset.drv
2010-07-30 00:36 . 2010-07-30 00:36 0 ----a-w- c:\windows\winkey.drv
2010-07-30 00:09 . 2010-07-30 00:13 -------- d-----w- c:\program files\World of Wisdom
2010-07-29 23:55 . 2010-07-30 00:02 -------- d-----w- c:\program files\Kundli for Windows
2010-07-20 01:12 . 2010-07-20 01:37 -------- d-----w- c:\documents and settings\Woolfer\Application Data\mIRC
2010-07-20 01:12 . 2010-07-20 01:31 -------- d-----w- c:\program files\mIRC
2010-07-15 12:17 . 2009-04-30 22:00 15872 ----a-w- c:\windows\system32\escdev.dll
2010-07-15 12:17 . 2009-04-30 22:00 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-07-15 12:17 . 2008-11-16 22:00 342016 ----a-w- c:\windows\system32\eswiaud.dll
2010-07-15 10:50 . 2007-12-17 02:00 143872 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
2010-07-15 10:50 . 2007-01-11 02:02 113664 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-12 20:49 . 2010-07-05 13:19 -------- d-----w- c:\program files\ProxyFirewall
2010-08-09 15:30 . 2008-05-16 13:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-09 15:09 . 2009-03-20 03:23 -------- d-----w- c:\program files\Di recnik
2010-08-09 15:06 . 2009-02-26 21:08 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-08 17:01 . 2009-03-10 10:43 -------- d-----w- c:\program files\Kaspersky Lab
2010-08-08 17:01 . 2009-03-10 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-08-08 03:07 . 2010-06-29 01:06 -------- d-----w- c:\program files\Cacheman
2010-08-07 10:44 . 2010-05-22 18:21 146 ----a-w- c:\windows\DelMR.bat
2010-08-05 16:00 . 2009-02-22 10:24 45864 ----a-w- c:\documents and settings\Woolfer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 00:14 . 2009-03-03 21:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-22 01:16 . 2009-04-10 02:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-13 13:39 . 2009-03-18 13:16 -------- d-----w- c:\program files\Planplus
2010-07-13 12:00 . 2010-07-13 12:00 -------- d-----w- c:\documents and settings\Woolfer\Application Data\Stardock
2010-07-13 11:19 . 2010-07-13 11:19 -------- d-----w- c:\program files\RocketDock
2010-07-13 01:42 . 2010-07-12 15:58 -------- d-----w- c:\program files\AveIconifier2
2010-07-12 23:01 . 2010-01-08 16:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 21:49 . 2010-07-06 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2010-07-06 21:49 . 2010-07-06 21:49 -------- d-----w- c:\program files\WirelessMon
2010-07-06 01:35 . 2010-07-04 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\EPS
2010-07-04 23:42 . 2010-07-04 23:33 -------- d-----w- c:\program files\My-Proxy
2010-07-04 23:42 . 2010-07-04 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SPC
2010-07-03 13:52 . 2010-07-03 13:51 -------- d-----w- c:\program files\Bukvar
2010-07-03 00:36 . 2010-07-03 00:36 -------- d-----w- c:\documents and settings\Woolfer\Application Data\VitySoft
2010-07-02 18:30 . 2010-06-29 16:59 -------- d-----w- c:\program files\Common Files\Real
2010-07-02 13:51 . 2010-07-02 13:41 -------- d-----w- c:\program files\A4Proxy
2010-06-29 17:00 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-29 16:45 . 2010-06-29 16:45 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-29 02:50 . 2010-06-29 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-06-26 19:36 . 2009-03-18 15:09 40960 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\uninst_s2k.exe_AA64977EBEC84BDD81E8775F9F2FA2FF.exe
2010-06-26 19:36 . 2009-03-18 15:09 40960 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\serial2k.exe_AA64977EBEC84BDD81E8775F9F2FA2FF.exe
2010-06-26 19:36 . 2009-03-18 15:09 10134 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\ARPPRODUCTICON.exe
2010-06-26 00:00 . 2009-04-09 14:03 -------- d-----w- c:\documents and settings\Woolfer\Application Data\uTorrent
2010-06-25 23:12 . 2010-06-25 23:12 -------- d-----w- c:\program files\Support Tools
2010-06-19 14:04 . 2010-06-19 14:01 -------- d-----w- c:\program files\Gravity
2010-06-19 10:14 . 2010-06-19 10:13 -------- d-----w- c:\program files\Bloboats
2010-06-18 15:19 . 2010-06-18 15:18 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-14 12:21 . 2010-06-14 12:21 -------- d-----w- c:\program files\VisiPics
2010-06-07 17:18 . 2010-06-07 17:18 1892 ----a-w- c:\documents and settings\All Users\Application Data\xml4D.tmp
2010-06-07 17:18 . 2010-06-07 17:18 13757 ----a-w- c:\documents and settings\All Users\Application Data\xml4C.tmp
2010-06-07 17:18 . 2010-06-07 17:18 9521 ----a-w- c:\documents and settings\All Users\Application Data\xml4B.tmp
2010-05-31 19:13 . 2010-05-31 19:13 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-05-31 19:13 . 2010-05-31 19:13 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-05-31 19:13 . 2010-05-31 19:13 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-05-31 19:13 . 2010-05-31 19:13 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-05-31 19:10 . 2010-05-31 19:13 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng.exe
2010-05-24 23:01 . 2010-05-24 23:01 503808 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\msvcp71.dll
2010-05-24 23:01 . 2010-05-24 23:01 499712 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\jmc.dll
2010-05-24 23:01 . 2010-05-24 23:01 12800 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ba5100c-n\decora-d3d.dll
2010-05-24 23:01 . 2010-05-24 23:01 61440 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ba5100c-n\decora-sse.dll
2010-05-24 23:01 . 2010-05-24 23:01 348160 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\msvcr71.dll
.

------- Sigcheck -------

[-] 2009-02-21 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-08-11_09.45.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-12 20:45 . 2010-08-12 20:45 16384 c:\windows\temp\Perflib_Perfdata_80c.dat
+ 2010-08-12 20:45 . 2010-08-12 20:45 16384 c:\windows\temp\Perflib_Perfdata_408.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProxyFirewall "= "c:\program files\ProxyFirewall\ProxyFirewall.exe" [2006-03-26 431104]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer "= "Mixer.exe" [2003-03-20 1855488]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TWCU "= "c:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2009-08-14 569427]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"nwiz "= "nwiz.exe" [2005-12-10 1519616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"SW24 "= "c:\windows\system32\sw24.exe" [2006-04-04 69632]
"SW20 "= "c:\windows\system32\sw20.exe" [2006-04-04 208896]
"SMSERIAL "= "c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]
"Di dictionary "= "c:\program files\Di recnik\Di.exe" [2007-03-16 518656]
"BtTray "= "c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-02-27 278016]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\CTFMON.EXE" [2008-11-27 15360]

c:\documents and settings\Woolfer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Shortcut to Pihatonttu.lnk - c:\documents and settings\Woolfer\Desktop\Folders\netoverbt\New Folder\Hiisi1.6.3\Pihatonttu\Pihatonttu.cmd [2010-5-22 112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TSS Instrument API Tray Utility.lnk - c:\program files\Common Files\Nokia\Tss\Instrument API\bin\tray.exe [2007-12-7 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Nokia\\Tss\\Instrument API\\bin\\root.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\seba14mods\\µtorrent 1.8.2 (build 14458) Leecher Pack\\utorrent 1.8.2 (14458)_stealth.exe "=
"c:\\Program Files\\A4Proxy\\A4Proxy.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
"c:\\Program Files\\ODEON\\JAF\\JCOP.EXE "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\DVBViewerTE\\ts_winlirc.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5232:TCP "= 5232:TCP:zgveo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [4/6/2010 6:32 PM 20744]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [9/24/2007 7:11 PM 566560]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 4:40 PM 143467]
R2 PARLDR2K;ParLdr2k;c:\windows\system32\drivers\parldr2k.sys [4/22/2010 12:34 AM 10454]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [4/6/2010 6:33 PM 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [4/6/2010 6:32 PM 26248]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [7/2/2008 12:15 AM 418832]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe --> c:\program files\Cacheman\CachemanServ.exe [?]
S2 nxfgt;Image System;c:\windows\system32\svchost.exe -k netsvcs [11/27/2008 5:45 AM 14336]
S3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [3/6/2010 12:07 AM 1668352]
S3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\DRIVERS\btcomport.sys --> c:\windows\system32\DRIVERS\btcomport.sys [?]
S3 BTCOMBUS;Bluetooth Serial Port Bus Service;c:\windows\system32\Drivers\btcombus.sys --> c:\windows\system32\Drivers\btcombus.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [5/31/2010 9:16 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [5/31/2010 9:16 PM 8320]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/26/2009 11:08 PM 717296]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\shutdown.job
- c:\documents and settings\Woolfer\Desktop\shutdown.lnk [2008-07-02 19:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer\Add_AllO.htm
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Prevedi sa Di recnikom - c:\program files\Di recnik\diie.htm
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: Translate with Di dictionary -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
FF - ProfilePath - c:\documents and settings\Woolfer\Application Data\Mozilla\Firefox\Profiles\wgw1e5f5.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: network.proxy.http - 218.29.234.50
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Woolfer\Local Settings\Application Data\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-13 02:33
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProxyFirewall = c:\program files\ProxyFirewall\ProxyFirewall.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\nxfgt]
"ServiceDll "= "c:\windows\system32\wmrqdl.dll "
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1383384898-1644491937-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\athgina.dll

- - - - - - - > 'explorer.exe'(3312)
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\BsHelpCSps.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\BlueSoleilCSps.dll
c:\windows\system32\BsMobileCSps.dll
.
Completion time: 2010-08-13 02:37:36
ComboFix-quarantined-files.txt 2010-08-13 00:37
ComboFix2.txt 2010-08-11 09:50
ComboFix3.txt 2010-08-07 20:13
ComboFix4.txt 2010-08-06 23:54
ComboFix5.txt 2010-08-13 00:22

Pre-Run: 13.376.065.536 bytes free
Post-Run: 13.357.858.816 bytes free

- - End Of File - - 2084AEFA2D5F952D641F2A095C87D797

broni · 2010/08/13

Somehow, you keep sending me very same Combofix log, dated 13.08.2010 2:23
Delete your Combofix file, download fresh one and run the script from my reply #20 again.

TamoNeko · 2010/08/13

fresh one :

ComboFix 10-08-12.03 - Woolfer 13.08.2010 21:27:04.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1250.381.1033.18.767.459 [GMT 2:00]
Running from: c:\documents and settings\Woolfer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Woolfer\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\wmrqdl.dll "
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NXFGT
-------\Service_nxfgt

((((((((((((((((((((((((( Files Created from 2010-07-13 to 2010-08-13 )))))))))))))))))))))))))))))))
.

2010-08-10 11:07 . 2010-04-29 13:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-10 11:07 . 2010-08-10 11:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-10 11:07 . 2010-04-29 13:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 15:10 . 2010-08-09 15:10 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-08-09 11:21 . 2010-08-09 11:21 -------- d-----w- C:\xpsp3
2010-08-08 12:44 . 1999-12-17 08:13 49664 ----a-w- c:\windows\unvise32.exe
2010-08-08 12:44 . 2010-08-08 12:44 -------- d-----w- c:\program files\Active Ports
2010-08-08 10:59 . 2010-08-08 10:59 -------- d-----w- c:\program files\Trend Micro
2010-08-08 10:37 . 2010-08-08 10:37 -------- d-----w- c:\documents and settings\Woolfer\Application Data\Malwarebytes
2010-08-08 10:36 . 2010-08-08 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-08-02 23:01 . 2010-08-02 23:01 503808 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\msvcp71.dll
2010-08-02 23:01 . 2010-08-02 23:01 499712 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\jmc.dll
2010-08-02 23:01 . 2010-08-02 23:01 348160 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-3425b7c5-n\msvcr71.dll
2010-08-02 23:01 . 2010-08-02 23:01 61440 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cef6c9b-n\decora-sse.dll
2010-08-02 23:01 . 2010-08-02 23:01 12800 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-1cef6c9b-n\decora-d3d.dll
2010-07-30 16:02 . 2010-07-30 16:02 -------- d-----w- c:\program files\Google
2010-07-30 13:08 . 2010-07-31 08:32 -------- d-----w- c:\program files\Gish
2010-07-30 00:36 . 2010-07-30 00:36 7 ----a-w- c:\windows\Winset.drv
2010-07-30 00:36 . 2010-07-30 00:36 0 ----a-w- c:\windows\winkey.drv
2010-07-30 00:09 . 2010-07-30 00:13 -------- d-----w- c:\program files\World of Wisdom
2010-07-29 23:55 . 2010-07-30 00:02 -------- d-----w- c:\program files\Kundli for Windows
2010-07-20 01:12 . 2010-07-20 01:37 -------- d-----w- c:\documents and settings\Woolfer\Application Data\mIRC
2010-07-20 01:12 . 2010-07-20 01:31 -------- d-----w- c:\program files\mIRC
2010-07-15 12:17 . 2009-04-30 22:00 15872 ----a-w- c:\windows\system32\escdev.dll
2010-07-15 12:17 . 2009-04-30 22:00 128392 ----a-w- c:\windows\system32\esdevapp.exe
2010-07-15 12:17 . 2008-11-16 22:00 342016 ----a-w- c:\windows\system32\eswiaud.dll
2010-07-15 10:50 . 2007-12-17 02:00 143872 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40ST7.EXE
2010-07-15 10:50 . 2007-01-11 02:02 113664 ----a-w- c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 20:01 . 2010-07-05 13:19 -------- d-----w- c:\program files\ProxyFirewall
2010-08-13 20:00 . 2009-03-20 03:23 -------- d-----w- c:\program files\Di recnik
2010-08-09 15:30 . 2008-05-16 13:51 21504 ----a-w- c:\windows\system32\hidserv.dll
2010-08-09 15:06 . 2009-02-26 21:08 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-08-08 17:01 . 2009-03-10 10:43 -------- d-----w- c:\program files\Kaspersky Lab
2010-08-08 17:01 . 2009-03-10 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-08-08 03:07 . 2010-06-29 01:06 -------- d-----w- c:\program files\Cacheman
2010-08-07 10:44 . 2010-05-22 18:21 146 ----a-w- c:\windows\DelMR.bat
2010-08-05 16:00 . 2009-02-22 10:24 45864 ----a-w- c:\documents and settings\Woolfer\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-30 00:14 . 2009-03-03 21:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-22 01:16 . 2009-04-10 02:14 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-07-13 13:39 . 2009-03-18 13:16 -------- d-----w- c:\program files\Planplus
2010-07-13 12:00 . 2010-07-13 12:00 -------- d-----w- c:\documents and settings\Woolfer\Application Data\Stardock
2010-07-13 11:19 . 2010-07-13 11:19 -------- d-----w- c:\program files\RocketDock
2010-07-13 01:42 . 2010-07-12 15:58 -------- d-----w- c:\program files\AveIconifier2
2010-07-12 23:01 . 2010-01-08 16:30 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-06 21:49 . 2010-07-06 21:49 -------- d-----w- c:\documents and settings\All Users\Application Data\PassMark
2010-07-06 21:49 . 2010-07-06 21:49 -------- d-----w- c:\program files\WirelessMon
2010-07-06 01:35 . 2010-07-04 23:36 -------- d-----w- c:\documents and settings\All Users\Application Data\EPS
2010-07-04 23:42 . 2010-07-04 23:33 -------- d-----w- c:\program files\My-Proxy
2010-07-04 23:42 . 2010-07-04 23:33 -------- d-----w- c:\documents and settings\All Users\Application Data\SPC
2010-07-03 13:52 . 2010-07-03 13:51 -------- d-----w- c:\program files\Bukvar
2010-07-03 00:36 . 2010-07-03 00:36 -------- d-----w- c:\documents and settings\Woolfer\Application Data\VitySoft
2010-07-02 18:30 . 2010-06-29 16:59 -------- d-----w- c:\program files\Common Files\Real
2010-07-02 13:51 . 2010-07-02 13:41 -------- d-----w- c:\program files\A4Proxy
2010-06-29 17:00 . 2006-07-11 17:35 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-06-29 16:45 . 2010-06-29 16:45 -------- d-----w- c:\program files\Windows Media Connect 2
2010-06-29 02:50 . 2010-06-29 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
2010-06-26 19:36 . 2009-03-18 15:09 40960 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\uninst_s2k.exe_AA64977EBEC84BDD81E8775F9F2FA2FF.exe
2010-06-26 19:36 . 2009-03-18 15:09 40960 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\serial2k.exe_AA64977EBEC84BDD81E8775F9F2FA2FF.exe
2010-06-26 19:36 . 2009-03-18 15:09 10134 ----a-r- c:\documents and settings\Woolfer\Application Data\Microsoft\Installer\{AA64977E-BEC8-4BDD-81E8-775F9F2FA2FF}\ARPPRODUCTICON.exe
2010-06-26 00:00 . 2009-04-09 14:03 -------- d-----w- c:\documents and settings\Woolfer\Application Data\uTorrent
2010-06-25 23:12 . 2010-06-25 23:12 -------- d-----w- c:\program files\Support Tools
2010-06-19 14:04 . 2010-06-19 14:01 -------- d-----w- c:\program files\Gravity
2010-06-19 10:14 . 2010-06-19 10:13 -------- d-----w- c:\program files\Bloboats
2010-06-18 15:19 . 2010-06-18 15:18 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-06-07 17:18 . 2010-06-07 17:18 1892 ----a-w- c:\documents and settings\All Users\Application Data\xml4D.tmp
2010-06-07 17:18 . 2010-06-07 17:18 13757 ----a-w- c:\documents and settings\All Users\Application Data\xml4C.tmp
2010-06-07 17:18 . 2010-06-07 17:18 9521 ----a-w- c:\documents and settings\All Users\Application Data\xml4B.tmp
2010-05-31 19:13 . 2010-05-31 19:13 95232 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\pcswpcsi.exe
2010-05-31 19:13 . 2010-05-31 19:13 8192 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstCCD.exe
2010-05-31 19:13 . 2010-05-31 19:13 61440 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2010-05-31 19:13 . 2010-05-31 19:13 10240 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Installer\CommonCustomActions\UninstPCS.exe
2010-05-31 19:10 . 2010-05-31 19:13 34399664 ----a-w- c:\documents and settings\All Users\Application Data\Installations\{19DC9559-9C20-4A46-A67D-7ECBA52A2788}\Nokia_PC_Suite_eng.exe
2010-05-24 23:01 . 2010-05-24 23:01 503808 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\msvcp71.dll
2010-05-24 23:01 . 2010-05-24 23:01 499712 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\jmc.dll
2010-05-24 23:01 . 2010-05-24 23:01 12800 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ba5100c-n\decora-d3d.dll
2010-05-24 23:01 . 2010-05-24 23:01 61440 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-4ba5100c-n\decora-sse.dll
2010-05-24 23:01 . 2010-05-24 23:01 348160 ----a-w- c:\documents and settings\Woolfer\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-4e2a3905-n\msvcr71.dll
.

------- Sigcheck -------

[-] 2009-02-21 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot_2010-08-11_09.45.49 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-08-13 14:45 . 2010-08-13 14:45 16384 c:\windows\temp\Perflib_Perfdata_76c.dat
+ 2010-08-13 19:39 . 2010-08-13 19:39 16384 c:\windows\temp\Perflib_Perfdata_6f4.dat
+ 2010-08-13 19:39 . 2010-08-13 19:39 16384 c:\windows\temp\Perflib_Perfdata_3f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ProxyFirewall "= "c:\program files\ProxyFirewall\ProxyFirewall.exe" [2006-03-26 431104]
"DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C-Media Mixer "= "Mixer.exe" [2003-03-20 1855488]
"SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TWCU "= "c:\program files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe" [2009-08-14 569427]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2005-12-10 7311360]
"nwiz "= "nwiz.exe" [2005-12-10 1519616]
"NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2005-12-10 86016]
"SW24 "= "c:\windows\system32\sw24.exe" [2006-04-04 69632]
"SW20 "= "c:\windows\system32\sw20.exe" [2006-04-04 208896]
"SMSERIAL "= "c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-29 638976]
"Di dictionary "= "c:\program files\Di recnik\Di.exe" [2007-03-16 518656]
"BtTray "= "c:\program files\IVT Corporation\BlueSoleil\BtTray.exe" [2009-02-27 278016]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-14 110592]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\CTFMON.EXE" [2008-11-27 15360]

c:\documents and settings\Woolfer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Shortcut to Pihatonttu.lnk - c:\documents and settings\Woolfer\Desktop\Folders\netoverbt\New Folder\Hiisi1.6.3\Pihatonttu\Pihatonttu.cmd [2010-5-22 112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TSS Instrument API Tray Utility.lnk - c:\program files\Common Files\Nokia\Tss\Instrument API\bin\tray.exe [2007-12-7 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@= "Driver "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"vsmon "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\Nokia\\Tss\\Instrument API\\bin\\root.exe "=
"c:\\Program Files\\uTorrent\\uTorrent.exe "=
"c:\\Program Files\\seba14mods\\µtorrent 1.8.2 (build 14458) Leecher Pack\\utorrent 1.8.2 (14458)_stealth.exe "=
"c:\\Program Files\\A4Proxy\\A4Proxy.exe "=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe "=
"c:\\Program Files\\ODEON\\JAF\\JCOP.EXE "=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=
"c:\\Program Files\\DVBViewerTE\\ts_winlirc.exe "=
"c:\\Program Files\\Messenger\\msmsgs.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5232:TCP "= 5232:TCP:zgveo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest "= 1 (0x1)

R0 BtHidBus;Bluetooth HID Bus Service;c:\windows\system32\drivers\BtHidBus.sys [4/6/2010 6:32 PM 20744]
R2 ABBYY.Licensing.FineReader.Professional.9.0;ABBYY FineReader 9.0 Licensing Service;c:\program files\ABBYY FineReader 9.0\NetworkLicenseServer.exe [9/24/2007 7:11 PM 566560]
R2 BsMobileCS;BsMobileCS;c:\program files\IVT Corporation\BlueSoleil\BsMobileCS.exe [2/27/2009 4:40 PM 143467]
R2 PARLDR2K;ParLdr2k;c:\windows\system32\drivers\parldr2k.sys [4/22/2010 12:34 AM 10454]
R3 AR9271;Wireless Network Adapter Service;c:\windows\system32\drivers\athuw.sys [3/6/2010 12:07 AM 1668352]
R3 btnetBUs;Bluetooth PAN Bus Service;c:\windows\system32\drivers\btnetBus.sys [4/6/2010 6:33 PM 30088]
R3 IvtBtBUs;IVT Bluetooth Bus Service;c:\windows\system32\drivers\IvtBtBus.sys [4/6/2010 6:32 PM 26248]
R3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [7/2/2008 12:15 AM 418832]
S2 CachemanService;Cacheman Service;c:\program files\Cacheman\CachemanServ.exe --> c:\program files\Cacheman\CachemanServ.exe [?]
S3 BTCOM;Bluetooth Serial port driver;c:\windows\system32\DRIVERS\btcomport.sys --> c:\windows\system32\DRIVERS\btcomport.sys [?]
S3 BTCOMBUS;Bluetooth Serial Port Bus Service;c:\windows\system32\Drivers\btcombus.sys --> c:\windows\system32\Drivers\btcombus.sys [?]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [5/31/2010 9:16 PM 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [5/31/2010 9:16 PM 8320]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2/26/2009 11:08 PM 717296]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-08 c:\windows\Tasks\shutdown.job
- c:\documents and settings\Woolfer\Desktop\shutdown.lnk [2008-07-02 19:03]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: + Offline &Explorer: Download the link - file://c:\program files\Offline Explorer\Add_UrlO.htm
IE: + Offline E&xplorer: Download the current page - file://c:\program files\Offline Explorer\Add_AllO.htm
IE: Iz&vezi u Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Prevedi sa Di recnikom - c:\program files\Di recnik\diie.htm
IE: Send by Bluetooth - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tsinfo.htm
IE: Send via &Message... - c:\program files\IVT Corporation\BlueSoleil\TransSend\IE\tssms.htm
IE: Translate with Di dictionary -
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
FF - ProfilePath - c:\documents and settings\Woolfer\Application Data\Mozilla\Firefox\Profiles\wgw1e5f5.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-USfficial
FF - prefs.js: network.proxy.http - 218.29.234.50
FF - prefs.js: network.proxy.http_port - 3128
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\Woolfer\Local Settings\Application Data\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-13 22:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ProxyFirewall = c:\program files\ProxyFirewall\ProxyFirewall.exe???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-854245398-1383384898-1644491937-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\athgina.dll
c:\program files\ProxyFirewall\PFW.dll

- - - - - - - > 'lsass.exe'(1180)
c:\program files\ProxyFirewall\PFW.dll

- - - - - - - > 'explorer.exe'(2456)
c:\program files\ProxyFirewall\PFW.dll
c:\windows\system32\BsMobileSDK.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\windows\system32\BsHelpCSps.dll
c:\windows\system32\BlueSoleilCSps.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsMobileCSps.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll

- - - - - - - > 'csrss.exe'(808)
c:\program files\ProxyFirewall\PFW.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\astsrv.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\windows\system32\wscntfy.exe
c:\windows\Mixer.exe
c:\program files\Common Files\Nokia\Tss\Instrument API\bin\root.exe
.
**************************************************************************
.
Completion time: 2010-08-13 22:07:52 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-13 20:07
ComboFix2.txt 2010-08-13 00:37
ComboFix3.txt 2010-08-11 09:50
ComboFix4.txt 2010-08-07 20:13
ComboFix5.txt 2010-08-13 19:23

Pre-Run: 13.342.130.176 bytes free
Post-Run: 13.320.769.536 bytes free

- - End Of File - - E84E66D054539E5523CC35EAAE4189DC

broni · 2010/08/13

Now, you're talking
Looks good

How is computer doing at the moment?

Delete your GMER file, download fresh one and post new log.

TamoNeko · 2010/08/14

It is good
here is the log of gmer of about 2 hours running...(I have like zillion files that are so small I would have to wait like 3 days for gmer to finish)

only thing that is still the same is somewhat slow windows login, that is I think consequence of my pc being infected, and me deleting files that I haven't checked online if they are malware...
I'll try to deal with that later
(hey login time is acceptable now )

no more svchost trying to access its mom
and no more slow refreshing of desktop icons

I think you can slap "resolved" on the topic...

Thank you very much for generous help and system clean of viruses...
---------------------------------------------------------------
---------------------------------------------------------------
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-08-14 20:01:41
Windows 5.1.2600 Service Pack 3
Running: t1x1qxzt.exe; Driver: C:\DOCUME~1\Woolfer\LOCALS~1\Temp\pwrdqpoc.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6961360, 0x20598D, 0xE8000020]
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\alg.exe[240] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\alg.exe[240] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\System32\alg.exe[240] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Canon\CAL\CALMAIN.exe[528] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Canon\CAL\CALMAIN.exe[528] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Canon\CAL\CALMAIN.exe[528] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[556] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[556] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\wbem\wmiprvse.exe[556] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\csrss.exe[736] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\csrss.exe[736] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\csrss.exe[736] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\winlogon.exe[760] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\winlogon.exe[760] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\winlogon.exe[760] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\services.exe[804] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\services.exe[804] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\services.exe[804] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\lsass.exe[840] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[980] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1060] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\System32\svchost.exe[1176] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1176] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\System32\svchost.exe[1176] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1212] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1212] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1312] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1368] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1368] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\System32\svchost.exe[1404] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\System32\svchost.exe[1404] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\System32\svchost.exe[1404] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\spoolsv.exe[1524] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\spoolsv.exe[1524] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 01521000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\spoolsv.exe[1524] WS2_32.dll!send 71AB4C27 6 Bytes JMP 01522300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe[1632] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe[1632] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 011F1000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\ABBYY FineReader 9.0\NetworkLicenseServer.exe[1632] WS2_32.dll!send 71AB4C27 6 Bytes JMP 011F2300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\SYSTEM32\astsrv.exe[1652] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\SYSTEM32\astsrv.exe[1652] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\SYSTEM32\astsrv.exe[1652] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1664] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1664] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 04751000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe[1664] WS2_32.dll!send 71AB4C27 6 Bytes JMP 04752300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe[1716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe[1716] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 00E51000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BsMobileCS.exe[1716] WS2_32.dll!send 71AB4C27 6 Bytes JMP 00E52300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe[1752] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe[1752] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 011D1000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BsHelpCS.exe[1752] WS2_32.dll!send 71AB4C27 6 Bytes JMP 011D2300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[1800] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Java\jre6\bin\jqs.exe[1800] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Java\jre6\bin\jqs.exe[1800] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\nvsvc32.exe[1844] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\nvsvc32.exe[1844] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\nvsvc32.exe[1844] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1904] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\svchost.exe[1904] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\svchost.exe[1904] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Documents and Settings\Woolfer\Desktop\t1x1qxzt.exe[2488] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Documents and Settings\Woolfer\Desktop\t1x1qxzt.exe[2488] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes CALL 7170003D
.text C:\Documents and Settings\Woolfer\Desktop\t1x1qxzt.exe[2488] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Documents and Settings\Woolfer\Desktop\t1x1qxzt.exe[2488] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\Explorer.EXE[2636] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Explorer.EXE[2636] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 00C11000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\Explorer.EXE[2636] WS2_32.dll!send 71AB4C27 6 Bytes JMP 00C12300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\wscntfy.exe[2656] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\system32\wscntfy.exe[2656] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\system32\wscntfy.exe[2656] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\Mixer.exe[2716] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\WINDOWS\Mixer.exe[2716] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\WINDOWS\Mixer.exe[2716] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2724] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2724] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 10001000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2724] WS2_32.dll!send 71AB4C27 6 Bytes JMP 10002300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[2740] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[2740] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 010A1000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[2740] WS2_32.dll!send 71AB4C27 6 Bytes JMP 010A2300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2796] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2796] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 00DC1000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe[2796] WS2_32.dll!send 71AB4C27 6 Bytes JMP 00DC2300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe[2816] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe[2816] ws2_32.dll!connect 71AB4A07 6 Bytes JMP 02AE1000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\IVT Corporation\BlueSoleil\BtTray.exe[2816] ws2_32.dll!send 71AB4C27 6 Bytes JMP 02AE2300 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Common Files\Nokia\Tss\Instrument API\bin\root.exe[3216] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A
.text C:\Program Files\Common Files\Nokia\Tss\Instrument API\bin\root.exe[3216] WS2_32.dll!connect 71AB4A07 6 Bytes JMP 00A61000 C:\Program Files\ProxyFirewall\PFW.dll
.text C:\Program Files\Common Files\Nokia\Tss\Instrument API\bin\root.exe[3216] WS2_32.dll!send 71AB4C27 6 Bytes JMP 00A62300 C:\Program Files\ProxyFirewall\PFW.dll

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\00000075 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\0000007b sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\fasttx2k \Device\Scsi\fasttx2k1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\fasttx2k \Device\Scsi\fasttx2k1Port2Path0Target1Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001167d6b6a5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001167d6b6a5@c8979f5b48db 0x69 0x98 0x62 0xE7 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0x93 0x24 0x0B ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x09 0x18 0xE9 0x5D ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC2 0x7A 0xD8 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001167d6b6a5
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001167d6b6a5@c8979f5b48db 0x69 0x98 0x62 0xE7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0x93 0x24 0x0B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x09 0x18 0xE9 0x5D ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x6D 0x3A 0xE0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001167d6b6a5 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001167d6b6a5@c8979f5b48db 0x69 0x98 0x62 0xE7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8C 0x93 0x24 0x0B ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x09 0x18 0xE9 0x5D ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xCE 0x6D 0x3A 0xE0 ...

broni · 2010/08/14

I'm glad to hear good news
We're not totally done here, yet.

Firstly, GMER log seems to be incomplete.
It should end with "EOF" line.

Please, repost it.

TamoNeko · 2010/08/14

I will try to post full gmer report:
I'll turn on scan tomorrow morning and I hope it will finish in reasonable time, as I said I have a lot of small files (fonts,icons,saved web pages...) on my C drive which makes GMER scan run slow after a while
I have just 768mb of ram...
My computer halted after ~2 hours of scanning due to a low memory I guess...

broni · 2010/08/14

Ok...

broni · 2010/08/21

Are you still out there?

Log in or Sign up

Inactive Multiple problems after clicking on BHO toolbar

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Log in or Sign up

Inactive Multiple problems after clicking on BHO toolbar

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

TamoNeko Inactive Thread Starter

broni Moderator Malware Analyst

broni Moderator Malware Analyst

Share This Page

Useful Searches