1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Generic Host process for Win32 system has encountered a problem.

Discussion in 'Malware and Virus Removal Archive' started by KStox, 2010/08/19.

Page 1 of 2
  1. 2010/08/19
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    [Resolved] Generic Host process for Win32 system has encountered a problem.

    I've read through at least 7 other posts with this problem and haven't found a solution yet. I've tried downloading the Windows patch WindowsXP-KB921883-x86-ENU.exe but it says that my SP is newer than the update. I've also downloaded and scanned with Avira and Malwarebytes but to no avail.

    It started right after I torrented Microsoft Office (yes, bad me for stealing and such). I get the win32 message upon startup. After about 15min I lose internet, my theme changes to oldschool windows98 and I lose audio. Once I restart, everything goes back to normal for another 15min.

    I'm running XP, SP3. Also, it won't even let me post on the forum. Had to switch to roomie's computer.

    DDS (Ver_10-03-17.01) - FAT32x86
    Run by user at 18:51:50.09 on Thu 08/19/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_18
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1136 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    SVCHOST.EXE
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\WINDOWS\Explorer.EXE
    SVCHOST.EXE
    SVCHOST.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    SVCHOST.EXE
    C:\WINDOWS\System32\svchost.exe -k Akamai
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Acer\Empowering Technology\admServ.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    SVCHOST.EXE
    c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Documents and Settings\user\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    C:\Program Files\uTorrent\uTorrent.exe
    C:\DOCUME~1\user\LOCALS~1\Temp\RtkBtMnt.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\DAEMON Tools Lite\DTLite.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.exe
    C:\Program Files\OpenOffice.org 3\program\soffice.bin
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    C:\Documents and Settings\user\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = *.local
    BHO: moigh Object: {0d8e2067-5d4c-4fbc-9073-ff2229f08bd0} - c:\windows\system32\ithqp.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: adShotHlpr Object: {b20c3ba6-84cd-4753-a247-a56087cbf37e} - c:\windows\system32\mthqp.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\\phone\Skype.exe" /nosplash /minimized
    uRun: [WeatherEye] c:\documents and settings\user\local settings\application data\theweathernetwork\weathereye\WeatherEye.exe
    uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe "
    uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
    uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\DTLite.exe" -autorun
    uRun: [070700Setup.exe] c:\documents and settings\user\application data\e4dace93ffd5e8f2b3ca4464059ba4ac\070700Setup.exe
    uRun: [Hsekihumevixi] rundll32.exe "c:\windows\nenfx80.dll ",Startup
    mRun: [igfxtray] c:\windows\system32\igfxtray.exe
    mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
    mRun: [igfxpers] c:\windows\system32\igfxpers.exe
    mRun: [LaunchApp] Alaunch
    mRun: [SkyTel] SkyTel.EXE
    mRun: [<NO NAME>]
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
    mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
    mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
    mRun: [LManager] c:\progra~1\launch~1\LManager.exe
    mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe "
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe "
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [sta] rundll32 "mthqp.dll ",,Run
    mRun: [Uyotuhe] rundll32.exe "c:\windows\ivajidifeme.dll ",Startup
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe "
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe "
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    mExplorerRun: [z7b6s8] c:\docume~1\user\locals~1\temp\r3ghaz.exe
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
    IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
    DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1282237957183
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262280737281
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\mi1933~1\office12\GR99D3~1.DLL
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxdev.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\mi1933~1\office12\GRA8E1~1.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\2uihdpfd.default\
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: XULRunner: {05E1D3A1-AE89-419B-9C28-FF15A8225C42} - c:\documents and settings\user\local settings\application data\{05E1D3A1-AE89-419B-9C28-FF15A8225C42}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref( "security.ssl3.rsa_seed_sha ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.use_native_popup_windows ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.enable_click_image_resizing ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accessibility.browsewithcaret_shortcut.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.high_water_mark ", 32);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "javascript.options.mem.gc_frequency ", 1600);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "ui.trackpoint_hack.enabled ", -1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.debug ", false);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.agedWeight ", 2);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.bucketSize ", 1);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.maxTimeGroupings ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.timeGroupingSize ", 604800);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.boundaryWeight ", 25);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "browser.formfill.prefixWeight ", 5);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref( "html5.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.download.backgroundInterval ", 600);
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "app.update.url.manual ", "http://www.firefox.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref( "browser.search.param.yahoo-fr-ja ", "mozff ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add ", "addons.mozilla.org ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "xpinstall.whitelist.add.36 ", "getpersonas.com ");
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "lightweightThemes.update.enabled ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.allTabs.previews ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.hide_infobar_for_outdated_plugin ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "toolbar.customization.usesheet ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.enable ", false);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.max ", 20);
    c:\program files\mozilla firefox\defaults\pref\firefox.js - pref( "browser.taskbar.previews.cachetime ", 20);

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-19 11608]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-12-31 216400]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-12-31 29584]
    R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-12-31 243024]
    R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-19 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-19 267432]
    R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-16 921952]
    R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-19 60936]
    R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-8-19 304464]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-8-19 20952]
    S0 hxjve;hxjve; [x]
    S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-12-31 32512]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-8-19 27064]

    =============== Created Last 30 ================

    2010-08-19 21:49:32 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49:29 0 d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48:12 0 d-----w- c:\docume~1\user\applic~1\Malwarebytes
    2010-08-19 20:47:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-08-19 20:47:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 20:47:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 18:50:36 0 d-----w- c:\docume~1\user\applic~1\Avira
    2010-08-19 18:46:12 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-19 18:46:11 0 d-----w- c:\program files\Avira
    2010-08-19 18:46:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-08-19 17:15:15 0 d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 14:12:00 0 d-----w- c:\windows\system32\Registry Patrol
    2010-08-18 14:11:55 86016 ----a-w- c:\windows\unvise32.exe
    2010-08-18 14:11:37 0 d-----w- c:\program files\Registry Patrol
    2010-08-18 02:10:33 0 d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59:23 0 d-----w- c:\docume~1\user\applic~1\FreeFileViewer
    2010-08-18 01:49:14 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:43:23 0 d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42:39 0 d-----w- c:\windows\SHELLNEW
    2010-08-18 01:38:40 0 d-----w- C:\New Folder
    2010-08-18 01:37:18 0 d-----w- C:\Microsoft Office 2007
    2010-08-03 15:16:53 0 d-----w- c:\docume~1\user\applic~1\ElevatedDiagnostics
    2010-08-01 17:49:25 0 d-----w- C:\dragon oath
    2010-08-01 17:26:56 0 d-----w- c:\program files\common files\Akamai
    2010-07-30 17:13:29 112 ----a-w- c:\docume~1\alluse~1\applic~1\HRitJVF.dat
    2010-07-21 17:33:11 0 d-----w- c:\program files\iPod
    2010-07-21 03:03:19 0 d-----w- c:\program files\RealTimeImage

    ==================== Find3M ====================

    2010-07-27 06:30:36 8462336 ------w- c:\windows\system32\dllcache\shell32.dll
    2010-07-16 16:13:20 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
    2010-07-16 16:13:16 12536 ----a-w- c:\windows\system32\avgrsstx.dll
    2010-07-16 16:13:08 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
    2010-07-13 06:20:22 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-06-30 12:31:36 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 12:31:36 149504 ------w- c:\windows\system32\dllcache\schannel.dll
    2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-23 13:44:04 1851904 ------w- c:\windows\system32\dllcache\win32k.sys
    2010-06-21 15:27:12 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-21 15:27:12 354304 ------w- c:\windows\system32\dllcache\srv.sys
    2010-06-18 13:36:12 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe
    2010-06-17 14:03:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31:20 744448 ------w- c:\windows\system32\dllcache\helpsvc.exe
    2010-06-14 07:41:46 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-14 07:41:46 1172480 ------w- c:\windows\system32\dllcache\msxml3.dll
    2010-06-09 23:01:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01:10 123888 ------w- c:\windows\system32\pxcpyi64.exe

    ============= FINISH: 18:54:32.75 ===============
     
    KStox,
    #1
  2. 2010/08/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Welcome aboard :)

    Attach.txt part of DDS log is missing.
     
    broni,
    #2


  3. to hide this advert.

  4. 2010/08/19
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 12/31/2009 12:10:31 PM
    System Uptime: 8/19/2010 6:44:50 PM (0 hours ago)

    Motherboard: Acer | | Grapevine
    Processor: Intel(R) Core(TM)2 CPU T5500 @ 1.66GHz | U1 | 1662/166mhz

    ==== Disk Partitions =========================

    C: is FIXED (FAT32) - 149 GiB total, 96.403 GiB free.
    E: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID:
    Description: Modem Device on High Definition Audio Bus
    Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_1025007F&REV_1000\4&5CA37AC&0&0102
    Manufacturer:
    Name: Modem Device on High Definition Audio Bus
    PNP Device ID: HDAUDIO\FUNC_02&VEN_14F1&DEV_2C06&SUBSYS_1025007F&REV_1000\4&5CA37AC&0&0102
    Service:

    Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
    Description: CD-ROM Drive
    Device ID: IDE\CDROMPIONEER_DVD-RW_DVR-K17RS________________1.00____\47_04446384C323531395733204C202020202020
    Manufacturer: (Standard CD-ROM drives)
    Name: PIONEER DVD-RW DVR-K17RS
    PNP Device ID: IDE\CDROMPIONEER_DVD-RW_DVR-K17RS________________1.00____\47_04446384C323531395733204C202020202020
    Service: cdrom

    ==== System Restore Points ===================

    RP1: 8/17/2010 9:59:40 PM - System Checkpoint
    RP2: 8/18/2010 10:05:47 AM - Software Distribution Service 3.0
    RP3: 8/19/2010 11:07:32 AM - Software Distribution Service 3.0

    ==== Installed Programs ======================


    µTorrent
    Acer eDataSecurity Management
    Acer eDataSecurity Management 1.00.26
    Acer Empowering Technology framework
    Acer eNet Management
    Acer ePerformance Management
    Acer ePower Management
    Acer ePresentation Management
    Acer eSettings Management
    Acer GridVista
    Acer OrbiCam
    Acer Screensaver
    Acrobat.com
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge 1.0
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color EU Extra Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Recommended Settings CS4
    Adobe Common File Installer
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Drive CS4
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Center 1.0
    Adobe InDesign CS2 Trial
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Reader 9.3.3
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe SING CS4
    Adobe Stock Photos 1.0
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Akamai NetSession Interface
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AVG Free 9.0
    Avira AntiVir Personal - Free Antivirus
    Bonjour
    Connect
    DivX Setup
    HDAUDIO Soft Data Fax Modem with SmartCP
    High Definition Audio Driver Package - KB888111
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Graphics Media Accelerator Driver
    Intel(R) PROSet/Wireless Software
    InterActual Player
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 18
    kuler
    Launch Manager
    LightScribe 1.4.97.1
    Malwarebytes' Anti-Malware
    mCore
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft XML Parser
    mMHouse
    MobileMe Control Panel
    Mozilla Firefox (3.6.8)
    mPfMgr
    mProSafe
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    mWlsSafe
    mXML
    NTI Backup NOW! 4.5
    NTI CD & DVD-Maker
    OpenOffice.org 3.1
    Page Perfect 2 Plugin for CS4
    PagePerfect 2
    PagePerfect 2 Upload Application
    PDF Settings CS4
    Photoshop Camera Raw
    Portal
    PowerDVD
    Proofing Client 6.1
    QuickTime
    Realtek High Definition Audio Driver
    Registry Patrol
    Revo Uninstaller Pro 2.4.1
    Safari
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371-v2)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Skype Toolbars
    Skype™ 4.2
    Steam
    Suite Shared Configuration CS4
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Outlook 2007 Junk Email Filter (kb2279264)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VC80CRTRedist - 8.0.50727.4053
    VLC media player 1.0.2
    WeatherEye
    WebEx
    WebFldrs XP
    WIDCOMM Bluetooth Software
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 7
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows PowerShell(TM) 1.0
    Windows XP Service Pack 3
    Zoo Tycoon Expanded

    ==== Event Viewer Messages From Past Week ========

    8/19/2010 5:57:41 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Background Intelligent Transfer Service service, but this action failed with the following error: An instance of the service is already running.
    8/19/2010 5:15:01 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde UBHelper ultra viaagp ViaIde
    8/19/2010 5:01:28 PM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    8/19/2010 4:37:54 PM, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    8/19/2010 4:37:53 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
    8/19/2010 4:37:53 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments " " in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
    8/19/2010 2:45:15 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    8/19/2010 2:45:15 PM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\user\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    8/19/2010 2:45:15 PM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    8/19/2010 11:33:06 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Task Scheduler service, but this action failed with the following error: An instance of the service is already running.
    8/18/2010 9:55:24 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    8/18/2010 2:30:10 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    8/18/2010 10:03:22 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
    8/18/2010 10:03:22 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
    8/17/2010, error: Schedule [7901] - The At1.job command failed to start due to the following error: %%2147942402
    8/17/2010 9:00:00 PM, error: Schedule [7901] - The At22.job command failed to start due to the following error: %%2147942402
    8/17/2010 8:00:00 PM, error: Schedule [7901] - The At21.job command failed to start due to the following error: %%2147942402
    8/17/2010 7:00:00 PM, error: Schedule [7901] - The At20.job command failed to start due to the following error: %%2147942402
    8/17/2010 6:19:05 PM, error: MRxSmb [8003] - The master browser has received a server announcement from the computer KAREN-PC that believes that it is the master browser for the domain on transport NetBT_Tcpip_{9EBE37D5-B95A-4596-. The master browser is stopping or an election is being forced.
    8/17/2010 6:00:00 PM, error: Schedule [7901] - The At19.job command failed to start due to the following error: %%2147942402
    8/17/2010 5:00:00 PM, error: Schedule [7901] - The At18.job command failed to start due to the following error: %%2147942402
    8/17/2010 4:00:00 PM, error: Schedule [7901] - The At17.job command failed to start due to the following error: %%2147942402
    8/17/2010 3:00:00 PM, error: Schedule [7901] - The At16.job command failed to start due to the following error: %%2147942402
    8/17/2010 3:00:00 AM, error: Schedule [7901] - The At4.job command failed to start due to the following error: %%2147942402
    8/17/2010 2:00:00 PM, error: Schedule [7901] - The At15.job command failed to start due to the following error: %%2147942402
    8/17/2010 2:00:00 AM, error: Schedule [7901] - The At3.job command failed to start due to the following error: %%2147942402
    8/17/2010 12:00:00 PM, error: Schedule [7901] - The At13.job command failed to start due to the following error: %%2147942402
    8/17/2010 11:00:00 AM, error: Schedule [7901] - The At12.job command failed to start due to the following error: %%2147942402
    8/17/2010 10:42:23 AM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the WZCSVC service.
    8/17/2010 10:00:00 PM, error: Schedule [7901] - The At23.job command failed to start due to the following error: %%2147942402
    8/17/2010 1:00:00 PM, error: Schedule [7901] - The At14.job command failed to start due to the following error: %%2147942402
    8/17/2010 1:00:00 AM, error: Schedule [7901] - The At2.job command failed to start due to the following error: %%2147942402
    8/15/2010 5:00:00 AM, error: Schedule [7901] - The At6.job command failed to start due to the following error: %%2147942402
    8/15/2010 4:00:00 AM, error: Schedule [7901] - The At5.job command failed to start due to the following error: %%2147942402
    8/15/2010 11:00:00 PM, error: Schedule [7901] - The At24.job command failed to start due to the following error: %%2147942402
    8/13/2010 10:00:00 AM, error: Schedule [7901] - The At11.job command failed to start due to the following error: %%2147942402

    ==== End Of File ===========================
     
    KStox,
    #3
  5. 2010/08/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You're running two AV programs, AVG and Avira.
    One of them has to go.
    If AVG (preferably), use AVG Remover: http://www.avg.com/us-en/download-tools

    Then....

    STEP 1. Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/mbam.php to your desktop.
    (Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform Quick Scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

    The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt


    STEP 2. Download GMER: http://www.gmer.net/files.php, by clicking on Download EXE button.
    Alternative downloads:
    - http://majorgeeks.com/GMER_d5198.html
    - http://www.softpedia.com/get/Interne...ers/GMER.shtml
    Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
    Do NOT use the computer while GMER is running!
    When scan is completed, click Save button, and save the results as gmer.log
    Warning ! Please, do not select the "Show all" checkbox during the scan.
    Post the log to your next reply.

    IMPORTANT! If for some reason GMER refuses to run, try again.
    If it still fails, try to UN-check "Devices" in right pane.
    If still no joy, try to run it from Safe Mode.


    STEP 3. Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.



    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #4
  6. 2010/08/19
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 7.0.5730.13

    8/19/2010 9:32:53 PM
    mbam-log-2010-08-19 (21-32-53).txt

    Scan type: Quick scan
    Objects scanned: 138536
    Time elapsed: 9 minute(s), 52 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 9

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\user\My Documents\downloads\PerfectOptimizer.exe (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\My Documents\downloads\PerfectOptimizer(2).exe (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\PerfectOptimizer.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\SEClean.DLL (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\SERes.DLL (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\FreeUse.dll (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\Update.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\WinUpdate.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
    C:\Recycled\Dc8\License.dll (PUP.PerfectOptimizer) -> Quarantined and deleted successfully.

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-08-19 22:55:17
    Windows 5.1.2600 Service Pack 3
    Running: ilkvssyh.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\axlorfob.sys


    ---- System - GMER 1.0.15 ----

    SSDT ABE75BE6 ZwCreateKey
    SSDT ABE75BDC ZwCreateThread
    SSDT ABE75BEB ZwDeleteKey
    SSDT ABE75BF5 ZwDeleteValueKey
    SSDT spql.sys ZwEnumerateKey [0xB9ECDDA4]
    SSDT spql.sys ZwEnumerateValueKey [0xB9ECE132]
    SSDT ABE75C13 ZwLoadDriver
    SSDT ABE75BFA ZwLoadKey
    SSDT spql.sys ZwOpenKey [0xB9EB50C0]
    SSDT ABE75BC8 ZwOpenProcess
    SSDT ABE75BCD ZwOpenThread
    SSDT spql.sys ZwQueryKey [0xB9ECE20A]
    SSDT spql.sys ZwQueryValueKey [0xB9ECE08A]
    SSDT ABE75C04 ZwReplaceKey
    SSDT ABE75BFF ZwRestoreKey
    SSDT ABE75C18 ZwSetSystemInformation
    SSDT ABE75BF0 ZwSetValueKey
    SSDT ABE75BD7 ZwTerminateProcess
    SSDT ABE75BD2 ZwWriteVirtualMemory

    INT 0x62 ? 8A68BBF8
    INT 0x63 ? 8A337CF8
    INT 0x82 ? 8A68BBF8
    INT 0x94 ? 8A337CF8
    INT 0xB4 ? 8A337CF8

    ---- Kernel code sections - GMER 1.0.15 ----

    ? spql.sys The system cannot find the file specified. !
    .text USBPORT.SYS!DllUnload B735F8AC 5 Bytes JMP 8A3372D8
    .text a6c32p25.SYS B2B16386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
    .text a6c32p25.SYS B2B163AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
    .text a6c32p25.SYS B2B163C4 3 Bytes [00, 80, 02]
    .text a6c32p25.SYS B2B163C9 1 Byte [30]
    .text a6c32p25.SYS B2B163C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
    .text ...

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B7000A
    .text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C1000A
    .text C:\WINDOWS\Explorer.EXE[648] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B6000C
    .text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009A000A
    .text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009B000A
    .text C:\WINDOWS\System32\svchost.exe[1700] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0099000C
    .text C:\WINDOWS\System32\svchost.exe[1700] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0284000A
    .text C:\WINDOWS\System32\svchost.exe[1700] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00E7000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4020] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0124000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4020] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0125000A
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4020] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0123000C
    .text C:\Program Files\Mozilla Firefox\firefox.exe[4020] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spql.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spql.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spql.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spql.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spql.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spql.sys
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KeGetCurrentIrql] 9E880000
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KfRaiseIrql] 00001CB1
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KfLowerIrql] 0E798366
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!HalGetInterruptVector] 74AAB000
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!HalTranslateBusAddress] 8986C636
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!READ_PORT_USHORT] 001C9686
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[WMILIB.SYS!WmiSystemControl] 8800001C
    IAT \SystemRoot\System32\Drivers\a6c32p25.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Fastfat \FatCdrom 8A6751F8
    Device \Driver\NetBT \Device\NetBT_Tcpip_{62419FE3-180C-4ADF-9530-6766F05EC12B} 8A3FE500

    AttachedDevice \Driver\Tcpip \Device\Ip avfwot.sys (TDI filtering kernel driver/Avira GmbH)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \Driver\usbuhci \Device\USBPDO-0 8A334500
    Device \Driver\NetBT \Device\NetBT_Tcpip_{9EBE37D5-B95A-4596-AB55-2FCB0A3E4B03} 8A3FE500
    Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A68C1F8
    Device \Driver\dmio \Device\DmControl\DmConfig 8A68C1F8
    Device \Driver\dmio \Device\DmControl\DmPnP 8A68C1F8
    Device \Driver\dmio \Device\DmControl\DmInfo 8A68C1F8
    Device \Driver\usbuhci \Device\USBPDO-1 8A334500
    Device \Driver\usbuhci \Device\USBPDO-2 8A334500
    Device \Driver\usbuhci \Device\USBPDO-3 8A334500
    Device \Driver\usbehci \Device\USBPDO-4 8A2F81F8

    AttachedDevice \Driver\Tcpip \Device\Tcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

    Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6FC1F8
    Device \Driver\atapi \Device\Ide\IdePort0 [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [B9DEBB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8A3FE500
    Device \Driver\NetBT \Device\NetbiosSmb 8A3FE500
    Device \Driver\PCI_PNP0746 \Device\00000088 spql.sys

    AttachedDevice \Driver\Tcpip \Device\Udp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
    AttachedDevice \Driver\Tcpip \Device\RawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)

    Device \Driver\usbuhci \Device\USBFDO-0 8A334500
    Device \Driver\usbuhci \Device\USBFDO-1 8A334500
    Device \Driver\sptd \Device\1876466996 spql.sys
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A36B3C8
    Device \Driver\usbuhci \Device\USBFDO-2 8A334500
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A36B3C8
    Device \Driver\usbuhci \Device\USBFDO-3 8A334500
    Device \Driver\Ftdisk \Device\FtControl 8A6FC1F8
    Device \Driver\usbehci \Device\USBFDO-4 8A2F81F8
    Device \Driver\a6c32p25 \Device\Scsi\a6c32p251 8A1E01F8
    Device \Driver\a6c32p25 \Device\Scsi\a6c32p251Port2Path0Target0Lun0 8A1E01F8
    Device \FileSystem\Fastfat \Fat 8A6751F8

    AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8A4F9EC5

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014a4fde349
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00197efcc248
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0x02 0x02 0x22 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x37 0x21 0x46 0xE2 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x03 0x70 0xD1 0x0C ...
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0014a4fde349 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00197efcc248 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF4 0x02 0x02 0x22 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x37 0x21 0x46 0xE2 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x03 0x70 0xD1 0x0C ...

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----


    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000004

    Kernel Drivers (total 192):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9EB4000 spql.sys
    0xBA5AA000 \WINDOWS\System32\Drivers\WMILIB.SYS
    0xB9E9C000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
    0xB9E6E000 ACPI.sys
    0xB9E5D000 pci.sys
    0xBA0A8000 ohci1394.sys
    0xBA0B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA0C8000 isapnp.sys
    0xBA4BC000 compbatt.sys
    0xBA4C0000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA5AC000 aliide.sys
    0xBA5AE000 intelide.sys
    0xBA5B0000 toside.sys
    0xBA5B2000 viaide.sys
    0xBA5B4000 cmdide.sys
    0xB9E3F000 pcmcia.sys
    0xBA0D8000 MountMgr.sys
    0xB9E20000 ftdisk.sys
    0xBA5B6000 dmload.sys
    0xB9DFA000 dmio.sys
    0xBA4C4000 ACPIEC.sys
    0xBA671000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xBA330000 PartMgr.sys
    0xBA4C8000 UBHelper.sys
    0xBA0E8000 VolSnap.sys
    0xBA4CC000 cpqarray.sys
    0xB9DE2000 atapi.sys
    0xBA4D0000 aha154x.sys
    0xBA338000 sparrow.sys
    0xBA4D4000 symc810.sys
    0xBA0F8000 aic78xx.sys
    0xBA4D8000 dac960nt.sys
    0xBA108000 ql10wnt.sys
    0xBA4DC000 amsint.sys
    0xBA340000 asc.sys
    0xBA4E0000 asc3550.sys
    0xBA348000 mraid35x.sys
    0xBA350000 i2omp.sys
    0xBA4E4000 ini910u.sys
    0xBA118000 ql1240.sys
    0xBA128000 aic78u2.sys
    0xBA358000 symc8xx.sys
    0xBA360000 sym_hi.sys
    0xBA368000 sym_u3.sys
    0xBA370000 ABP480N5.SYS
    0xBA378000 asc3350p.sys
    0xBA5B8000 cd20xrnt.sys
    0xBA138000 ultra.sys
    0xB9DC9000 adpu160m.sys
    0xBA380000 dpti2o.sys
    0xBA148000 ql1080.sys
    0xBA158000 ql1280.sys
    0xBA168000 ql12160.sys
    0xBA388000 perc2.sys
    0xBA5BA000 perc2hib.sys
    0xBA390000 hpn.sys
    0xBA4E8000 cbidf2k.sys
    0xB9D9D000 dac2w2k.sys
    0xBA178000 disk.sys
    0xBA188000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9D7D000 fltmgr.sys
    0xB9D6B000 sr.sys
    0xB9D47000 Fastfat.sys
    0xB9D30000 KSecDD.sys
    0xB9D03000 NDIS.sys
    0xBA198000 sisagp.sys
    0xBA1A8000 viaagp.sys
    0xB9CE9000 Mup.sys
    0xBA1B8000 agp440.sys
    0xBA1C8000 alim1541.sys
    0xBA1D8000 amdagp.sys
    0xBA1E8000 agpCPQ.sys
    0xB9CC9000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9C11000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
    0xB8DEE000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xB8C37000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB88DE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB7BBF000 \SystemRoot\system32\DRIVERS\w39n51.sys
    0xB914D000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB7347000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA420000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xBA308000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xB9CD9000 \SystemRoot\system32\DRIVERS\EMS7SK.sys
    0xB65DE000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xB62E5000 \SystemRoot\system32\DRIVERS\ESM7SK.sys
    0xB9746000 \SystemRoot\system32\DRIVERS\ESD7SK.sys
    0xB98BE000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB73F1000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA480000 \SystemRoot\system32\DRIVERS\DKbFltr.sys
    0xBA498000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xB4ED9000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xBA610000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB71D9000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB2B16000 \SystemRoot\System32\Drivers\a6c32p25.SYS
    0xB091C000 \SystemRoot\system32\DRIVERS\avfwim.sys
    0xB042D000 \SystemRoot\system32\DRIVERS\btkrnl.sys
    0xB0937000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xB2617000 \SystemRoot\system32\DRIVERS\rasirda.sys
    0xB260F000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB3808000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB7745000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB035E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xB34D4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xB34C4000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xB02AD000 \SystemRoot\system32\DRIVERS\psched.sys
    0xB34B4000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xB2607000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xB25FF000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB027D000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xB34A4000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA63A000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB025A000 \SystemRoot\system32\DRIVERS\ks.sys
    0xAFA56000 \SystemRoot\system32\DRIVERS\update.sys
    0xB510D000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA62C000 \SystemRoot\system32\DRIVERS\NTIDrvr.sys
    0xAC171000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xAB6E6000 \SystemRoot\system32\drivers\btaudio.sys
    0xAB6C2000 \SystemRoot\system32\drivers\portcls.sys
    0xAD154000 \SystemRoot\system32\drivers\drmk.sys
    0xAD144000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0x9B1C0000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xAC33F000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xAC104000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xAC100000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xAC32F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xABEC5000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA636000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xAC05E000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA638000 \SystemRoot\System32\Drivers\Beep.SYS
    0xABEB5000 \SystemRoot\System32\drivers\vga.sys
    0xAD71F000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xAD71D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xABEAD000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xABEA5000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xABB8C000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0x9B18D000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0x9B134000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0x9B10C000 \SystemRoot\system32\DRIVERS\netbt.sys
    0x9B0F4000 \SystemRoot\system32\DRIVERS\avfwot.sys
    0xABB84000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0x9B0D2000 \SystemRoot\System32\drivers\afd.sys
    0xAC30F000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xABE95000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0x9B0A7000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xABB74000 \??\C:\WINDOWS\system32\drivers\OsaFsLoc.sys
    0x9B037000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xAC2DF000 \SystemRoot\System32\Drivers\Fips.SYS
    0x9B015000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xAD719000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xABE8D000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xAB793000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0x9AFF7000 \SystemRoot\System32\Drivers\usbvideo.sys
    0xABBE8000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB7731000 \SystemRoot\System32\drivers\Dxapi.sys
    0xABE7D000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xB061D000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF021000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF043000 \SystemRoot\System32\ialmdev5.DLL
    0xBF07E000 \SystemRoot\System32\ialmdd5.DLL
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0x9AFE2000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xB98B2000 \??\C:\WINDOWS\system32\drivers\mbam.sys
    0xB5B26000 \SystemRoot\system32\DRIVERS\AegisP.sys
    0x9AFCC000 \SystemRoot\system32\DRIVERS\irda.sys
    0xAE23B000 \SystemRoot\system32\DRIVERS\s24trans.sys
    0xAD60F000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x9AE5F000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x9AE22000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB9706000 \SystemRoot\system32\drivers\sysaudio.sys
    0x9ADC3000 \SystemRoot\System32\Drivers\adfs.SYS
    0xB46BD000 \??\C:\WINDOWS\system32\drivers\btserial.sys
    0xBA72A000 \??\C:\WINDOWS\system32\drivers\epm-psd.sys
    0x9A7F1000 \??\C:\WINDOWS\system32\drivers\epm-shd.sys
    0x9A772000 \SystemRoot\system32\DRIVERS\srv.sys
    0x9A65E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xBA668000 \??\C:\WINDOWS\system32\drivers\osaio.sys
    0xBA706000 \??\C:\WINDOWS\system32\drivers\osanbm.sys
    0x9AAD1000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
    0x9A166000 \SystemRoot\System32\Drivers\HTTP.sys
    0x99EB0000 \??\C:\DOCUME~1\user\LOCALS~1\Temp\axlorfob.sys
    0x99DE5000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\System32\ntdll.dll
    0x10000000 \PROGRAM FILES\DAEMON TOOLS LITE\ENGINE.DLL

    Processes (total 57):
    0 System Idle Process
    4 System
    768 C:\WINDOWS\system32\SMSS.EXE
    1272 CSRSS.EXE
    1296 C:\WINDOWS\system32\WINLOGON.EXE
    1344 C:\WINDOWS\system32\SERVICES.EXE
    1356 C:\WINDOWS\system32\LSASS.EXE
    1536 C:\WINDOWS\system32\SVCHOST.EXE
    1628 SVCHOST.EXE
    1700 C:\WINDOWS\system32\SVCHOST.EXE
    1796 C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    1904 C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    1972 SVCHOST.EXE
    272 SVCHOST.EXE
    648 C:\WINDOWS\EXPLORER.EXE
    920 C:\WINDOWS\system32\SPOOLSV.EXE
    1032 C:\Program Files\Avira\AntiVir Desktop\SCHED.EXE
    1124 SVCHOST.EXE
    1320 C:\WINDOWS\system32\SVCHOST.EXE
    1816 C:\Program Files\Avira\AntiVir Desktop\AVFWSVC.EXE
    1920 C:\Program Files\Avira\AntiVir Desktop\AVGUARD.EXE
    164 C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    508 C:\Acer\Empowering Technology\admServ.exe
    512 C:\WINDOWS\system32\IGFXTRAY.EXE
    832 C:\WINDOWS\system32\HKCMD.EXE
    840 C:\WINDOWS\system32\IGFXPERS.EXE
    852 C:\Program Files\Avira\AntiVir Desktop\AVSHADOW.EXE
    976 C:\WINDOWS\system32\RUNDLL32.EXE
    1100 C:\WINDOWS\RTHDCPL.EXE
    300 C:\Program Files\iTunes\iTunesHelper.exe
    1724 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    540 C:\Program Files\Malwarebytes' Anti-Malware\MBAMGUI.EXE
    596 C:\Program Files\Avira\AntiVir Desktop\AVGNT.EXE
    720 C:\WINDOWS\system32\CTFMON.EXE
    740 C:\Program Files\Skype\Phone\Skype.exe
    2068 C:\Documents and Settings\USER\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe
    2092 C:\Program Files\uTorrent\uTorrent.exe
    2140 C:\Program Files\Bonjour\mDNSResponder.exe
    2400 SVCHOST.EXE
    2416 C:\Program Files\DAEMON Tools Lite\DTLite.exe
    2828 C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    3664 C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    3992 C:\Program Files\OpenOffice.org 3\PROGRAM\soffice.exe
    604 C:\Program Files\OpenOffice.org 3\PROGRAM\soffice.bin
    688 C:\Program Files\Java\jre6\bin\jqs.exe
    1580 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    2232 C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    2544 C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    2576 C:\Documents and Settings\USER\Local Settings\Temp\RtkBtMnt.exe
    2816 C:\WINDOWS\system32\SVCHOST.EXE
    2444 C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
    3800 C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
    2980 C:\Program Files\Skype\Plugin Manager\skypePM.exe
    1592 C:\Program Files\iPod\bin\iPodService.exe
    4020 C:\Program Files\Mozilla Firefox\firefox.exe
    2840 C:\Program Files\Skype\Toolbars\Shared\SkypeNames2.exe
    3584 C:\Documents and Settings\USER\My Documents\Downloads\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

    PhysicalDrive0 Model Number: ST9160319AS, Rev: SD93

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
    KStox,
    #5
  7. 2010/08/19
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

    [color= "Blue"]**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**[/color]
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".
      • Click on [color= "Red"]this link[/color] to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • [color= "Red"]WARNING:[/color] Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
    broni,
    #6
  8. 2010/08/20
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    ComboFix 10-08-19.02 - user 08/20/2010 19:09:46.2.2 - FAT32x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1351 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    .
    ---- Previous Run -------
    .
    c:\documents and settings\user\Application Data\E4DACE93FFD5E8F2B3CA4464059BA4AC\enemies-names.txt
    c:\documents and settings\user\Application Data\E4DACE93FFD5E8F2B3CA4464059BA4AC\local.ini
    c:\documents and settings\user\Application Data\Sky-Banners\skb\log.xml
    c:\documents and settings\user\Local Settings\Application Data\{05E1D3A1-AE89-419B-9C28-FF15A8225C42}\chrome.manifest
    c:\documents and settings\user\Local Settings\Application Data\{05E1D3A1-AE89-419B-9C28-FF15A8225C42}\chrome\content\_cfg.js
    c:\documents and settings\user\Local Settings\Application Data\{05E1D3A1-AE89-419B-9C28-FF15A8225C42}\chrome\content\overlay.xul
    c:\documents and settings\user\Local Settings\Application Data\{05E1D3A1-AE89-419B-9C28-FF15A8225C42}\install.rdf
    c:\documents and settings\user\Local Settings\Application Data\Windows Server\admin.txt
    c:\documents and settings\user\Local Settings\Application Data\Windows Server\server.dat
    c:\documents and settings\user\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
    c:\documents and settings\user\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
    c:\program files\WinPCap\daemon_mgm.exe
    c:\program files\WinPCap\npf_mgm.exe
    c:\program files\WinPCap\rpcapd.exe
    c:\windows\system32\drivers\npf.sys
    c:\windows\system32\Packet.dll
    c:\windows\system32\pthreadVC.dll
    c:\windows\system32\WanPacket.dll
    c:\windows\system32\wpcap.dll

    ----- BITS: Possible infected sites -----

    hxxp://au.download.wj+|Cv+@J:NGD_DQ{zcxLJS@jHN2MUCatalogJob_9397a21f-246c-453b-ac05-65bf4fc6b68b
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_NPF


    ((((((((((((((((((((((((( Files Created from 2010-07-20 to 2010-08-20 )))))))))))))))))))))))))))))))
    .

    2010-08-20 23:02 . 2010-08-20 23:02 -------- d-----w- c:\windows\LastGood
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-20 01:11 . 2010-08-20 01:04 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-20 01:11 . 2010-08-20 01:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-20 01:11 . 2010-08-20 01:04 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
    2010-08-20 01:11 . 2010-08-20 01:04 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\program files\Avira
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-20 00:24 . 2010-08-20 00:24 -------- d-----w- c:\documents and settings\user\Application Data\AVG9
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
    2010-08-19 21:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48 . 2010-08-19 20:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 20:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 18:50 . 2010-08-19 18:50 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-08-19 17:15 . 2010-08-19 17:15 -------- d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 14:12 . 2010-08-18 14:12 -------- d-----w- c:\windows\system32\Registry Patrol
    2010-08-18 14:11 . 2010-08-18 14:11 -------- d-----w- c:\program files\Registry Patrol
    2010-08-18 02:10 . 2010-08-18 02:10 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59 . 2010-08-18 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFileViewer
    2010-08-18 01:49 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-08-18 01:49 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:47 . 2010-08-18 01:47 -------- d-----w- c:\program files\Microsoft Works
    2010-08-18 01:45 . 2010-08-18 01:45 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-18 01:43 . 2010-08-18 01:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42 . 2010-08-18 01:42 -------- d-----w- c:\windows\SHELLNEW
    2010-08-18 01:41 . 2010-08-18 01:41 -------- d-----r- C:\MSOCache
    2010-08-18 01:38 . 2010-08-18 01:38 -------- d-----w- C:\New Folder
    2010-08-18 01:37 . 2010-08-18 01:37 -------- d-----w- C:\Microsoft Office 2007
    2010-08-15 23:48 . 2010-08-15 23:44 53632 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-08-03 15:16 . 2010-08-03 15:16 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
    2010-08-02 04:29 . 2010-08-02 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-01 17:49 . 2010-08-01 17:49 -------- d-----w- C:\dragon oath
    2010-08-01 17:26 . 2010-08-01 17:26 -------- d-----w- c:\program files\Common Files\Akamai
    2010-08-01 16:11 . 2010-08-01 16:12 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-28 17:49 . 2010-07-28 17:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-20 22:13 . 2006-08-22 10:12 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-19 18:04 . 2009-12-31 16:12 94528 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-16 00:07 . 2010-01-04 23:24 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-31 05:04 . 2010-07-30 17:13 112 ----a-w- c:\documents and settings\All Users\Application Data\HRitJVF.dat
    2010-07-21 17:33 . 2010-07-21 17:33 -------- d-----w- c:\program files\iPod
    2010-07-21 17:27 . 2010-07-21 17:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
    2010-07-21 16:42 . 2010-07-21 16:42 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 16:42 . 2010-07-21 16:42 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 16:42 . 2010-07-21 16:42 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 16:42 . 2010-07-21 16:42 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-21 03:03 . 2010-07-21 03:03 -------- d-----w- c:\program files\RealTimeImage
    2010-07-19 18:50 . 2010-07-19 02:04 120 ----a-w- c:\windows\Phiqexomino.dat
    2010-07-19 07:30 . 2010-07-19 02:04 0 ----a-w- c:\windows\Pdetukoge.bin
    2010-07-13 19:55 . 2010-07-13 19:55 -------- d-----w- c:\program files\Carnivores 2
    2010-07-13 07:47 . 2010-07-13 07:47 -------- d-----w- c:\program files\Carnivores
    2010-07-13 06:20 . 2010-07-13 06:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-13 06:20 . 2010-07-13 06:20 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-07-13 04:09 . 2010-07-13 04:09 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-07-13 04:08 . 2010-07-13 04:10 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-07-13 04:08 . 2010-07-13 04:10 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\MSBuild
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\Reference Assemblies
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2 Upload Application
    2010-06-30 12:31 . 2004-08-04 09:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 04:13 . 2010-07-14 13:11 52224 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-30 04:13 . 2010-07-14 13:11 101376 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-25 18:37 . 2010-06-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-23 16:28 . 2010-06-23 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-06-23 13:44 . 2004-08-04 09:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 09:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 09:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 09:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-09 23:01 . 2010-07-13 04:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2010-07-13 04:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2010-07-13 04:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2010-07-13 04:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2010-07-13 04:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2010-07-13 04:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-06-09 19:58 . 2010-06-25 17:12 14336 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    2010-06-09 17:08 . 2010-06-09 17:08 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-28 23:22 . 2010-06-28 23:22 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    Code:
    <pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8E2067-5D4C-4FBC-9073-FF2229F08BD0}]
    c:\windows\system32\ithqp.dll [BU]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B20C3BA6-84CD-4753-A247-A56087CBF37E}]
    c:\windows\system32\mthqp.dll [BU]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam "= "c:\program files\Steam\Steam.exe" [2010-05-12 1238352]
    "DAEMON Tools Lite "= "c:\program files\DAEMON Tools Lite\DTLite.exe" [2010-04-01 357696]
    "070700Setup.exe "= "c:\documents and settings\user\Application Data\E4DACE93FFD5E8F2B3CA4464059BA4AC\070700Setup.exe" [N/A]
    "Hsekihumevixi "= "c:\windows\nenfx80.dll" [N/A]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp "= "Alaunch" [X]
    "QuickTime Task "= "c:\program files\QuickTime\qttask .exe -atboottime" [X]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-13 110592]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 16248320]
    "Acer ePower Management "= "c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
    "LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [N/A]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [N/A]
    "sta "= "mthqp.dll" [N/A]
    "Uyotuhe "= "c:\windows\ivajidifeme.dll" [N/A]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-20 282792]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Steam\\Steam.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "1240:TCP "= 1240:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/19/2010 9:11 PM 102856]
    R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 5:00 AM 14336]
    R2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/19/2010 9:11 PM 536232]
    R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/19/2010 9:11 PM 337064]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/19/2010 9:11 PM 135336]
    R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/19/2010 9:11 PM 405672]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/19/2010 4:47 PM 304464]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/19/2010 9:11 PM 79432]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/19/2010 4:47 PM 20952]
    S0 hxjve;hxjve; [x]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/19/2010 5:49 PM 27064]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/13/2010 2:20 AM 691696]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.facebook.com/?ref=hp
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\
    FF - prefs.js: network.proxy.type - 4
    FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - component: c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-20 19:16
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
    "ServiceDll "= "C:/Program Files/Common Files/Akamai/rswin_3725.dll "

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
    "ServiceDll "= "C:/Program Files/Common Files/Akamai/rswin_3725.dll "
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1284)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'lsass.exe'(1340)
    c:\program files\Avira\AntiVir Desktop\avsda.dll
    .
    Completion time: 2010-08-20 19:19:27
    ComboFix-quarantined-files.txt 2010-08-20 23:19

    Pre-Run: 103,032,160,256 bytes free
    Post-Run: 103,019,642,880 bytes free

    - - End Of File - - D19ACBF119B371A342A8701152ED3B0A


    After I ran malwarebytes, gmer and mbrcheck the message stopped appearing upon startup, but it does still show up eventually. I forgot to mention that I get spam pages popping up every now and then since this started.
     
    KStox,
    #7
  9. 2010/08/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Your computer is still severely infected....

    Please, uninstall Registry Patrol
    Registry tools are not recommended and here is why: http://miekiemoes.blogspot.com/2008/02/registry-cleaners-and-system-tweaking_13.html

    ==================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\windows\Phiqexomino.dat
c:\windows\Pdetukoge.bin
c:\windows\system32\ithqp.dll
c:\windows\system32\mthqp.dll
c:\documents and settings\user\Application Data\E4DACE93FFD5E8F2B3CA4464059BA4AC\070700Setup.exe
c:\windows\nenfx80.dll
c:\windows\ivajidifeme.dll


Folder::
c:\documents and settings\user\Application Data\AVG9

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\AVG\AVG9\avgtray .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe


Driver::
hxjve
Akamai


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D8E2067-5D4C-4FBC-9073-FF2229F08BD0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B20C3BA6-84CD-4753-A247-A56087CBF37E}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "070700Setup.exe "=-
 "Hsekihumevixi "=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "LaunchApp "=-
 "QuickTime Task "=-
 "sta "=-
 "Uyotuhe "=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #8
  10. 2010/08/20
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    I've uninstalled what was left of registry patrol and am trying to run CFScript through combofix but Avira keeps blocking it. I've turned off the guard like before, and can't find anything that will disable avira without mucking around in stuff I don't know about.
     
    KStox,
    #9
  11. 2010/08/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    You can run Combofix from safe mode.
    Avira shouldn't be present there.
     
    broni,
    #10
  12. 2010/08/20
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    Negative, Avira is still kicking in Safe Mode.
     
    KStox,
    #11
  13. 2010/08/20
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Let's make something clear.
    Is it Avira preventing Combofix from running, or is it Combofix complaining, that Avira is still running?
    If the first, you'll have to temporarily uninstall Avira.
    If the 2nd, disregard warning and run Combofix anyway.
     
    broni,
    #12
  14. 2010/08/20
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    Well, when you put it that way... lol here's the log.

    ComboFix 10-08-19.02 - Administrator 08/21/2010 0:35.4.2 - FAT32x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1760 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

    FILE ::
    "c:\documents and settings\user\Application Data\E4DACE93FFD5E8F2B3CA4464059BA4AC\070700Setup.exe "
    "c:\windows\ivajidifeme.dll "
    "c:\windows\nenfx80.dll "
    "c:\windows\Pdetukoge.bin "
    "c:\windows\Phiqexomino.dat "
    "c:\windows\system32\ithqp.dll "
    "c:\windows\system32\mthqp.dll "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\user\Application Data\AVG9\cfgall\usergui.cfg
    c:\windows\Pdetukoge.bin
    c:\windows\Phiqexomino.dat

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_AKAMAI
    -------\Service_hxjve


    ((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
    .

    2010-08-21 03:51 . 2010-08-21 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-08-21 03:36 . 2010-08-21 03:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-08-21 03:32 . 2010-08-21 03:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-20 01:11 . 2010-08-20 01:04 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-20 01:11 . 2010-08-20 01:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-20 01:11 . 2010-08-20 01:04 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
    2010-08-20 01:11 . 2010-08-20 01:04 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\program files\Avira
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
    2010-08-19 21:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48 . 2010-08-19 20:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 20:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 18:50 . 2010-08-19 18:50 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-08-19 17:15 . 2010-08-19 17:15 -------- d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 14:12 . 2010-08-18 14:12 -------- d-----w- c:\windows\system32\Registry Patrol
    2010-08-18 14:11 . 2010-08-18 14:11 -------- d-----w- c:\program files\Registry Patrol
    2010-08-18 02:10 . 2010-08-18 02:10 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59 . 2010-08-18 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFileViewer
    2010-08-18 01:49 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-08-18 01:49 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:47 . 2010-08-18 01:47 -------- d-----w- c:\program files\Microsoft Works
    2010-08-18 01:45 . 2010-08-18 01:45 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-18 01:43 . 2010-08-18 01:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42 . 2010-08-18 01:42 -------- d-----w- c:\windows\SHELLNEW
    2010-08-18 01:41 . 2010-08-18 01:41 -------- d-----r- C:\MSOCache
    2010-08-18 01:37 . 2010-08-18 01:37 -------- d-----w- C:\Microsoft Office 2007
    2010-08-15 23:48 . 2010-08-15 23:44 53632 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-08-03 15:16 . 2010-08-03 15:16 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
    2010-08-02 04:29 . 2010-08-02 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-01 17:49 . 2010-08-01 17:49 -------- d-----w- C:\dragon oath
    2010-08-01 17:26 . 2010-08-01 17:26 -------- d-----w- c:\program files\Common Files\Akamai
    2010-08-01 16:11 . 2010-08-01 16:12 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-28 17:49 . 2010-07-28 17:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-21 04:31 . 2006-08-22 10:12 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-19 18:04 . 2009-12-31 16:12 94528 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-16 00:07 . 2010-01-04 23:24 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-31 05:04 . 2010-07-30 17:13 112 ----a-w- c:\documents and settings\All Users\Application Data\HRitJVF.dat
    2010-07-21 17:33 . 2010-07-21 17:33 -------- d-----w- c:\program files\iPod
    2010-07-21 17:27 . 2010-07-21 17:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
    2010-07-21 16:42 . 2010-07-21 16:42 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 16:42 . 2010-07-21 16:42 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 16:42 . 2010-07-21 16:42 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 16:42 . 2010-07-21 16:42 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-21 03:03 . 2010-07-21 03:03 -------- d-----w- c:\program files\RealTimeImage
    2010-07-13 19:55 . 2010-07-13 19:55 -------- d-----w- c:\program files\Carnivores 2
    2010-07-13 07:47 . 2010-07-13 07:47 -------- d-----w- c:\program files\Carnivores
    2010-07-13 06:20 . 2010-07-13 06:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-13 06:20 . 2010-07-13 06:20 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-07-13 04:09 . 2010-07-13 04:09 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-07-13 04:08 . 2010-07-13 04:10 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-07-13 04:08 . 2010-07-13 04:10 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\MSBuild
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\Reference Assemblies
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2 Upload Application
    2010-06-30 12:31 . 2004-08-04 09:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 04:13 . 2010-07-14 13:11 52224 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-30 04:13 . 2010-07-14 13:11 101376 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-25 18:37 . 2010-06-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-23 16:28 . 2010-06-23 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-06-23 13:44 . 2004-08-04 09:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 09:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 09:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 09:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-09 23:01 . 2010-07-13 04:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2010-07-13 04:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2010-07-13 04:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2010-07-13 04:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2010-07-13 04:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2010-07-13 04:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-06-09 19:58 . 2010-06-25 17:12 14336 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    2010-06-09 17:08 . 2010-06-09 17:08 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-28 23:22 . 2010-06-28 23:22 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    Code:
    <pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-13 110592]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 16248320]
    "Acer ePower Management "= "c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
    "LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [N/A]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [N/A]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-20 282792]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Steam\\Steam.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "1032:TCP "= 1032:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/19/2010 9:11 PM 102856]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/19/2010 9:11 PM 79432]
    S2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/19/2010 9:11 PM 536232]
    S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/19/2010 9:11 PM 337064]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/19/2010 9:11 PM 135336]
    S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/19/2010 9:11 PM 405672]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/19/2010 4:47 PM 304464]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/19/2010 4:47 PM 20952]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/19/2010 5:49 PM 27064]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/13/2010 2:20 AM 691696]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MDMXSDK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://global.acer.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fsrc44yt.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-21 00:40
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1208)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(452)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    .
    Completion time: 2010-08-21 00:41:26
    ComboFix-quarantined-files.txt 2010-08-21 04:41

    Pre-Run: 104,955,576,320 bytes free
    Post-Run: 104,939,683,840 bytes free

    - - End Of File - - E05A144BF794CBAABF4D4BE08B7BB694
     
    KStox,
    #13
  15. 2010/08/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\documents and settings\All Users\Application Data\HRitJVF.dat


Folder::
c:\windows\system32\Registry Patrol
c:\program files\Registry Patrol
c:\program files\Common Files\Akamai

RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #14
  16. 2010/08/21
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    ComboFix 10-08-19.02 - Administrator 08/21/2010 1:11.5.2 - FAT32x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1776 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

    FILE ::
    "c:\documents and settings\All Users\Application Data\HRitJVF.dat "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\HRitJVF.dat
    c:\program files\Common Files\Akamai
    c:\program files\Common Files\Akamai\AdminTool.exe
    c:\program files\Common Files\Akamai\appregistry.dat
    c:\program files\Common Files\Akamai\client.ini
    c:\program files\Common Files\Akamai\client.ini.json
    c:\program files\Common Files\Akamai\ControlPanel.exe
    c:\program files\Common Files\Akamai\CplTasks.xml
    c:\program files\Common Files\Akamai\data.dat
    c:\program files\Common Files\Akamai\debug.log
    c:\program files\Common Files\Akamai\debug.log.181.upload
    c:\program files\Common Files\Akamai\euc_state.json
    c:\program files\Common Files\Akamai\guid.ini
    c:\program files\Common Files\Akamai\Languages\chs.dll
    c:\program files\Common Files\Akamai\Languages\cht.dll
    c:\program files\Common Files\Akamai\Languages\csy.dll
    c:\program files\Common Files\Akamai\Languages\dan.dll
    c:\program files\Common Files\Akamai\Languages\deu.dll
    c:\program files\Common Files\Akamai\Languages\esp.dll
    c:\program files\Common Files\Akamai\Languages\fin.dll
    c:\program files\Common Files\Akamai\Languages\fra.dll
    c:\program files\Common Files\Akamai\Languages\ita.dll
    c:\program files\Common Files\Akamai\Languages\jpn.dll
    c:\program files\Common Files\Akamai\Languages\kor.dll
    c:\program files\Common Files\Akamai\Languages\nld.dll
    c:\program files\Common Files\Akamai\Languages\nor.dll
    c:\program files\Common Files\Akamai\Languages\plk.dll
    c:\program files\Common Files\Akamai\Languages\ptb.dll
    c:\program files\Common Files\Akamai\Languages\rus.dll
    c:\program files\Common Files\Akamai\Languages\sve.dll
    c:\program files\Common Files\Akamai\Languages\trk.dll
    c:\program files\Common Files\Akamai\Readme.txt
    c:\program files\Common Files\Akamai\root.pem
    c:\program files\Common Files\Akamai\rswin_3725.dll
    c:\program files\Common Files\Akamai\rswinui.exe
    c:\program files\Common Files\Akamai\uninstall.exe
    c:\program files\Common Files\Akamai\vcredist_x86.exe
    c:\program files\Registry Patrol
    c:\program files\Registry Patrol\ErrorLog.log
    c:\program files\Registry Patrol\MemWarp.dll
    c:\program files\Registry Patrol\msado27.tlb
    c:\program files\Registry Patrol\MSVBVM60.dll
    c:\program files\Registry Patrol\SQLite3VB.dll
    c:\program files\Registry Patrol\tskschd.dll
    c:\windows\system32\Registry Patrol

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-21 to 2010-08-21 )))))))))))))))))))))))))))))))
    .

    2010-08-21 03:51 . 2010-08-21 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-08-21 03:36 . 2010-08-21 03:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-08-21 03:32 . 2010-08-21 03:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-20 01:11 . 2010-08-20 01:04 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-20 01:11 . 2010-08-20 01:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-20 01:11 . 2010-08-20 01:04 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
    2010-08-20 01:11 . 2010-08-20 01:04 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\program files\Avira
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
    2010-08-19 21:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48 . 2010-08-19 20:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 20:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 18:50 . 2010-08-19 18:50 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-08-19 17:15 . 2010-08-19 17:15 -------- d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 02:10 . 2010-08-18 02:10 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59 . 2010-08-18 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFileViewer
    2010-08-18 01:49 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-08-18 01:49 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:47 . 2010-08-18 01:47 -------- d-----w- c:\program files\Microsoft Works
    2010-08-18 01:45 . 2010-08-18 01:45 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-18 01:43 . 2010-08-18 01:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42 . 2010-08-18 01:42 -------- d-----w- c:\windows\SHELLNEW
    2010-08-18 01:41 . 2010-08-18 01:41 -------- d-----r- C:\MSOCache
    2010-08-18 01:37 . 2010-08-18 01:37 -------- d-----w- C:\Microsoft Office 2007
    2010-08-15 23:48 . 2010-08-15 23:44 53632 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-08-03 15:16 . 2010-08-03 15:16 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
    2010-08-02 04:29 . 2010-08-02 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-01 17:49 . 2010-08-01 17:49 -------- d-----w- C:\dragon oath
    2010-08-01 16:11 . 2010-08-01 16:12 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-28 17:49 . 2010-07-28 17:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-21 05:08 . 2006-08-22 10:12 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-19 18:04 . 2009-12-31 16:12 94528 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-16 00:07 . 2010-01-04 23:24 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-21 17:33 . 2010-07-21 17:33 -------- d-----w- c:\program files\iPod
    2010-07-21 17:27 . 2010-07-21 17:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
    2010-07-21 16:42 . 2010-07-21 16:42 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 16:42 . 2010-07-21 16:42 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 16:42 . 2010-07-21 16:42 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 16:42 . 2010-07-21 16:42 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-21 03:03 . 2010-07-21 03:03 -------- d-----w- c:\program files\RealTimeImage
    2010-07-13 19:55 . 2010-07-13 19:55 -------- d-----w- c:\program files\Carnivores 2
    2010-07-13 07:47 . 2010-07-13 07:47 -------- d-----w- c:\program files\Carnivores
    2010-07-13 06:20 . 2010-07-13 06:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-13 06:20 . 2010-07-13 06:20 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-07-13 04:09 . 2010-07-13 04:09 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-07-13 04:08 . 2010-07-13 04:10 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-07-13 04:08 . 2010-07-13 04:10 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\MSBuild
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\Reference Assemblies
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2 Upload Application
    2010-06-30 12:31 . 2004-08-04 09:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 04:13 . 2010-07-14 13:11 52224 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-30 04:13 . 2010-07-14 13:11 101376 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-25 18:37 . 2010-06-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-23 16:28 . 2010-06-23 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-06-23 13:44 . 2004-08-04 09:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 09:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 09:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 09:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-09 23:01 . 2010-07-13 04:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2010-07-13 04:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2010-07-13 04:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2010-07-13 04:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2010-07-13 04:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2010-07-13 04:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-06-09 19:58 . 2010-06-25 17:12 14336 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    2010-06-09 17:08 . 2010-06-09 17:08 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-28 23:22 . 2010-06-28 23:22 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    Code:
    <pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>
    ((((((((((((((((((((((((((((( SnapShot@2010-08-21_04.40.05 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2004-08-04 09:00 . 2008-04-13 23:12 80896 c:\windows\system32\wscsvc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 13824 c:\windows\system32\wscntfy.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 20480 c:\windows\system32\wmpcd.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 15872 c:\windows\system32\w3ssl.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 44544 c:\windows\system32\tscupgrd.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 73216 c:\windows\system32\tlntsvr.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 61440 c:\windows\system32\tlntadmn.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 77824 c:\windows\system32\tasklist.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 71680 c:\windows\system32\systeminfo.exe
    + 2004-08-04 09:00 . 2004-08-04 09:00 24661 c:\windows\system32\spxcoins.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 77824 c:\windows\system32\shrpubw.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 45056 c:\windows\system32\shmgrate.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 65024 c:\windows\system32\shimeng.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 68096 c:\windows\system32\shgina.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 23040 c:\windows\system32\setup.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 31232 c:\windows\system32\sethc.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 56320 c:\windows\system32\servdeps.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 39424 c:\windows\system32\sens.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 54784 c:\windows\system32\sendmail.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 29184 c:\windows\system32\sendcmsg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 18944 c:\windows\system32\seclogon.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 77312 c:\windows\system32\sdbinst.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 20480 c:\windows\system32\sclgntfy.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 69632 c:\windows\system32\scarddlg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 45568 c:\windows\system32\safrslv.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 29696 c:\windows\system32\safrdm.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 43520 c:\windows\system32\safrcdlg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 14336 c:\windows\system32\runonce.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 33280 c:\windows\system32\rundll32.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 44032 c:\windows\system32\rtutils.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 31744 c:\windows\system32\rtipxmib.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 77312 c:\windows\system32\rtcshare.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 92672 c:\windows\system32\rsvpsp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 14848 c:\windows\system32\rsh.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 13824 c:\windows\system32\rexec.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 58880 c:\windows\system32\resutils.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 60416 c:\windows\system32\remotepg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 11776 c:\windows\system32\regsvr32.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 49664 c:\windows\system32\regapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 50176 c:\windows\system32\reg.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 67072 c:\windows\system32\rdshost.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 13824 c:\windows\system32\rdsaddin.exe
    + 2004-08-04 09:00 . 2008-04-13 23:13 87176 c:\windows\system32\rdpwsx.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 19968 c:\windows\system32\rdpsnd.dll
    + 2004-08-04 09:00 . 2008-04-13 23:13 92424 c:\windows\system32\rdpdd.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 21504 c:\windows\system32\rcp.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 35840 c:\windows\system32\rcimlby.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 16384 c:\windows\system32\rassapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 43520 c:\windows\system32\racpldlg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 18944 c:\windows\system32\qmgrprxy.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 43520 c:\windows\system32\pstorec.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 23040 c:\windows\system32\psapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 50176 c:\windows\system32\proquota.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 17408 c:\windows\system32\powrprof.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 15360 c:\windows\system32\pjlmon.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 67584 c:\windows\system32\openfiles.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 20510 c:\windows\system32\odpdx32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 20510 c:\windows\system32\odfox32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 20510 c:\windows\system32\odexl32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 20511 c:\windows\system32\oddbse32.dll
    + 2004-08-04 09:00 . 2008-04-13 16:26 12288 c:\windows\system32\odbcp32r.dll
    + 2004-08-04 09:00 . 2008-04-13 23:10 53279 c:\windows\system32\odbcji32.dll
    + 2004-08-04 09:00 . 2008-04-13 16:26 94208 c:\windows\system32\odbcint.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 65536 c:\windows\system32\odbccu32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 65536 c:\windows\system32\odbccr32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 24576 c:\windows\system32\odbcbcp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 32768 c:\windows\system32\odbcad32.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 67584 c:\windows\system32\ocmanage.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 44032 c:\windows\system32\ntlanman.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 67072 c:\windows\system32\ntdsapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 54784 c:\windows\system32\npptools.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 98304 c:\windows\system32\nlhtml.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 80896 c:\windows\system32\netui0.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 36864 c:\windows\system32\netstat.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 86016 c:\windows\system32\netsh.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 36352 c:\windows\system32\ncobjapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 53760 c:\windows\system32\narrator.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 34304 c:\windows\system32\mtxlegih.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 30720 c:\windows\system32\mtxdm.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 57344 c:\windows\system32\msvcirt.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 12288 c:\windows\system32\mstinit.exe
    + 2004-08-04 09:00 . 2008-04-13 15:23 48128 c:\windows\system32\msprivs.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 29696 c:\windows\system32\mspatcha.dll
    + 2004-08-04 09:00 . 2008-04-13 16:24 20480 c:\windows\system32\msorc32r.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 25088 c:\windows\system32\mslbui.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 51712 c:\windows\system32\msident.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 14336 c:\windows\system32\msdmo.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 71680 c:\windows\system32\msacm32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 11776 c:\windows\system32\localui.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 92224 c:\windows\system32\krnl386.exe
    + 2004-08-04 09:00 . 2010-03-11 12:38 27648 c:\windows\system32\jsproxy.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 54272 c:\windows\system32\ixsso.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 13312 c:\windows\system32\irclass.dll
    + 2004-08-04 09:00 . 2010-03-11 12:38 44544 c:\windows\system32\iernonce.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 41984 c:\windows\system32\htui.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 11264 c:\windows\system32\fxssend.exe
    + 2004-08-04 09:00 . 2004-08-04 09:00 31744 c:\windows\system32\fxsroute.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 60416 c:\windows\system32\fwcfg.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 82944 c:\windows\system32\eventtriggers.exe
    + 2004-08-04 09:00 . 2004-08-04 09:00 97965 c:\windows\system32\eventquery.vbs
    + 2004-08-04 09:00 . 2008-04-13 23:12 50688 c:\windows\system32\eventcreate.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 87040 c:\windows\system32\drmstor.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 62976 c:\windows\system32\driverquery.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 57344 c:\windows\system32\dpwsockx.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 85020 c:\windows\system32\dgsetup.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 17408 c:\windows\system32\bidispl.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 29184 c:\windows\system32\batmeter.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5120 c:\windows\system32\winnls.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 7168 c:\windows\system32\tlntsvrp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 8192 c:\windows\system32\smbinst.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 5120 c:\windows\system32\sfc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 7168 c:\windows\system32\sensapi.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 5632 c:\windows\system32\security.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 4569 c:\windows\system32\secupd.dat
    + 2004-08-04 09:00 . 2008-04-13 23:12 9216 c:\windows\system32\scrnsave.scr
    + 2004-08-04 09:00 . 2004-08-04 09:00 3338 c:\windows\system32\redir.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 7680 c:\windows\system32\rasadhlp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 9216 c:\windows\system32\proxycfg.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 4096 c:\windows\system32\mtxex.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 4608 c:\windows\system32\msimg32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:10 4126 c:\windows\system32\msdxmlc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 6144 c:\windows\system32\msdtc.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 6656 c:\windows\system32\laprxy.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdycl.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdsl1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdsl.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdro.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdpl1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdpl.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6144 c:\windows\system32\kbdlv1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6144 c:\windows\system32\kbdlv.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdlt1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdlt.dll
    + 2004-08-04 09:00 . 2008-04-13 23:09 6144 c:\windows\system32\kbdinben.dll
    + 2004-08-04 09:00 . 2008-04-13 23:09 6144 c:\windows\system32\kbdinbe1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdhu1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdhu.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 8192 c:\windows\system32\kbdhept.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdhela3.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6144 c:\windows\system32\kbdhela2.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdhe319.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdhe220.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdhe.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6144 c:\windows\system32\kbdgkl.dll
    + 2004-08-04 09:00 . 2008-04-13 23:09 7168 c:\windows\system32\kbdfi1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6144 c:\windows\system32\kbdest.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdcz2.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdcz1.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 7168 c:\windows\system32\kbdcz.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\kbdcr.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 5632 c:\windows\system32\kbdblr.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 6656 c:\windows\system32\KBDAL.DLL
    + 2004-08-04 09:00 . 2008-04-13 23:11 8704 c:\windows\system32\fxsperf.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 6144 c:\windows\system32\csrss.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 5632 c:\windows\system32\cisvc.exe
    + 2004-08-04 09:00 . 2008-04-13 16:39 438784 c:\windows\system32\xpob2res.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 174200 c:\windows\system32\xenroll.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 303616 c:\windows\system32\wmstream.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 897024 c:\windows\system32\wmspdmoe.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 151552 c:\windows\system32\wmidx.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 259584 c:\windows\system32\tracerpt.exe
    + 2004-08-04 09:00 . 2004-08-04 09:00 306176 c:\windows\system32\slbcsp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 152064 c:\windows\system32\shmedia.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 438272 c:\windows\system32\shimgvw.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 435712 c:\windows\system32\shellstyle.dll
    + 2004-08-04 09:00 . 2008-04-13 16:03 549376 c:\windows\system32\shdoclc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 314880 c:\windows\system32\scesrv.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 181248 c:\windows\system32\scecli.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 171008 c:\windows\system32\sccsccp.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 169984 c:\windows\system32\sccbase.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 159232 c:\windows\system32\sbeio.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 270848 c:\windows\system32\sbe.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 107520 c:\windows\system32\rsnotify.exe
    + 2004-08-04 09:00 . 2008-04-13 16:37 208384 c:\windows\system32\rsaenh.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 433664 c:\windows\system32\riched20.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 397824 c:\windows\system32\regwizc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 147968 c:\windows\system32\rdchost.dll
    + 2004-08-04 09:00 . 2008-04-13 16:21 733696 c:\windows\system32\qedwipes.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 167219 c:\windows\system32\pagefileconfig.vbs
    + 2004-08-04 09:00 . 2008-04-13 23:12 215552 c:\windows\system32\osk.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 107008 c:\windows\system32\oleprn.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 192000 c:\windows\system32\offfilt.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 147456 c:\windows\system32\odbctrac.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 278559 c:\windows\system32\odbcjt32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 106496 c:\windows\system32\odbccp32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 135168 c:\windows\system32\odbcconf.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 249856 c:\windows\system32\odbc32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 435200 c:\windows\system32\ntmssvc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 245760 c:\windows\system32\netui1.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 875008 c:\windows\system32\netplwiz.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 407040 c:\windows\system32\netlogon.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 139264 c:\windows\system32\netid.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 124928 c:\windows\system32\net1.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 701440 c:\windows\system32\msxml2.dll
    + 2004-08-04 09:00 . 2007-04-02 11:51 621344 c:\windows\system32\mswstr10.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 413696 c:\windows\system32\msvcp60.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 677888 c:\windows\system32\mstsc.exe
    + 2004-08-04 09:00 . 2008-04-13 23:12 116224 c:\windows\system32\mstlsapi.dll
    + 2004-08-04 09:00 . 2007-04-02 11:51 264992 c:\windows\system32\mstext40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 274944 c:\windows\system32\mstask.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 356352 c:\windows\system32\msscp.dll
    + 2004-08-04 09:00 . 2007-04-02 11:50 322336 c:\windows\system32\msrd3x40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 201728 c:\windows\system32\mspmsp.dll
    + 2004-08-04 09:00 . 2007-04-02 11:50 355104 c:\windows\system32\mspbde40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 143360 c:\windows\system32\msorcl32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 105984 c:\windows\system32\msoert2.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 252928 c:\windows\system32\msoeacct.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 290816 c:\windows\system32\msnsspc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 259072 c:\windows\system32\msnetobj.dll
    + 2004-08-04 09:00 . 2007-04-02 11:49 219936 c:\windows\system32\msltus40.dll
    + 2004-08-04 09:00 . 2007-04-02 11:49 248608 c:\windows\system32\msjtes40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 151583 c:\windows\system32\msjint40.dll
    + 2004-08-04 09:00 . 2007-04-02 11:49 355112 c:\windows\system32\msjetoledb40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 159232 c:\windows\system32\msimtf.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 248832 c:\windows\system32\msieftp.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 188416 c:\windows\system32\msh261.drv
    + 2004-08-04 09:00 . 2007-04-02 11:47 518944 c:\windows\system32\msexch40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 118784 c:\windows\system32\msdadiag.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 297984 c:\windows\system32\msctf.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 123392 c:\windows\system32\mplay32.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 240640 c:\windows\system32\mpg4dmod.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 384512 c:\windows\system32\mp4sdmod.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 191488 c:\windows\system32\iuengine.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 200192 c:\windows\system32\ir50_qc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 755200 c:\windows\system32\ir50_32.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 338432 c:\windows\system32\ir41_qcx.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 120320 c:\windows\system32\ir41_qc.dll
    + 2004-08-04 09:00 . 2010-03-11 12:38 385024 c:\windows\system32\iedkcs32.dll
    + 2004-08-04 09:00 . 2010-02-23 05:18 161792 c:\windows\system32\ieakui.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 192512 c:\windows\system32\fxswzrd.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 154112 c:\windows\system32\fxsui.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 397312 c:\windows\system32\fxstiff.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 246272 c:\windows\system32\fxst30.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 267776 c:\windows\system32\fxssvc.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 562176 c:\windows\system32\fxsst.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 111104 c:\windows\system32\fxscfgwz.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 103424 c:\windows\system32\EqnClass.Dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 695808 c:\windows\system32\drmv2clt.dll
    + 2004-08-04 09:00 . 2008-04-13 23:13 299520 c:\windows\system32\drmclien.dll
    + 2004-08-04 09:00 . 2004-08-04 09:00 176157 c:\windows\system32\dgrpsetu.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 792064 c:\windows\system32\comres.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 229376 c:\windows\system32\compstui.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 457728 c:\windows\system32\certmgr.dll
    + 2004-08-04 09:00 . 2008-04-13 23:11 226304 c:\windows\system32\catsrv.dll
    + 2004-08-04 09:00 . 2008-04-13 16:28 2940928 c:\windows\system32\wmploc.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 1614848 c:\windows\system32\sfcfiles.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 1287168 c:\windows\system32\ole32.dll
    + 2004-08-04 09:00 . 2007-10-22 08:30 1516568 c:\windows\system32\msjet40.dll
    + 2004-08-04 09:00 . 2008-04-13 23:12 1298432 c:\windows\system32\dxdiag.exe
    + 2004-08-04 09:00 . 2008-04-13 23:11 1267200 c:\windows\system32\comsvcs.dll
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-13 110592]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 16248320]
    "Acer ePower Management "= "c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
    "LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [N/A]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [N/A]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-20 282792]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Steam\\Steam.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "1032:TCP "= 1032:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/19/2010 9:11 PM 102856]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/19/2010 9:11 PM 79432]
    S2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/19/2010 9:11 PM 536232]
    S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/19/2010 9:11 PM 337064]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/19/2010 9:11 PM 135336]
    S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/19/2010 9:11 PM 405672]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/19/2010 4:47 PM 304464]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/19/2010 4:47 PM 20952]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/19/2010 5:49 PM 27064]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/13/2010 2:20 AM 691696]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MDMXSDK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://global.acer.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fsrc44yt.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Akamai - c:\program files\Common Files\Akamai\uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-21 01:17
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1208)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    Completion time: 2010-08-21 01:18:56
    ComboFix-quarantined-files.txt 2010-08-21 05:18
    ComboFix2.txt 2010-08-21 04:41

    Pre-Run: 104,946,434,048 bytes free
    Post-Run: 104,915,304,448 bytes free

    - - End Of File - - 5B1624B9C8ACA97836E1EED139B70487
     
    KStox,
    #15
  17. 2010/08/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    We still have things to do....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    RenV::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
 "EnableFirewall "=dword:00000001

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #16
  18. 2010/08/21
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    ComboFix 10-08-21.01 - Administrator 08/21/2010 20:52:37.6.2 - FAT32x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1662 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    .

    ((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
    .

    2010-08-21 16:18 . 2010-08-21 16:18 -------- d-----w- c:\windows\LastGood
    2010-08-21 03:51 . 2010-08-21 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-08-21 03:36 . 2010-08-21 03:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-08-21 03:32 . 2010-08-21 03:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-20 01:11 . 2010-08-20 01:04 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-20 01:11 . 2010-08-20 01:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-20 01:11 . 2010-08-20 01:04 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
    2010-08-20 01:11 . 2010-08-20 01:04 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\program files\Avira
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
    2010-08-19 21:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48 . 2010-08-19 20:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 20:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 18:50 . 2010-08-19 18:50 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-08-19 17:15 . 2010-08-19 17:15 -------- d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 02:10 . 2010-08-18 02:10 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59 . 2010-08-18 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFileViewer
    2010-08-18 01:49 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-08-18 01:49 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:47 . 2010-08-18 01:47 -------- d-----w- c:\program files\Microsoft Works
    2010-08-18 01:45 . 2010-08-18 01:45 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-18 01:43 . 2010-08-18 01:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42 . 2010-08-18 01:42 -------- d-----w- c:\windows\SHELLNEW
    2010-08-18 01:41 . 2010-08-18 01:41 -------- d-----r- C:\MSOCache
    2010-08-18 01:37 . 2010-08-18 01:37 -------- d-----w- C:\Microsoft Office 2007
    2010-08-15 23:48 . 2010-08-15 23:44 53632 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-08-03 15:16 . 2010-08-03 15:16 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
    2010-08-02 04:29 . 2010-08-02 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-01 17:49 . 2010-08-01 17:49 -------- d-----w- C:\dragon oath
    2010-08-01 16:11 . 2010-08-01 16:12 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-28 17:49 . 2010-07-28 17:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-22 00:47 . 2006-08-22 10:12 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-19 18:04 . 2009-12-31 16:12 94528 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-16 00:07 . 2010-01-04 23:24 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-21 17:33 . 2010-07-21 17:33 -------- d-----w- c:\program files\iPod
    2010-07-21 17:27 . 2010-07-21 17:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
    2010-07-21 16:42 . 2010-07-21 16:42 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 16:42 . 2010-07-21 16:42 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 16:42 . 2010-07-21 16:42 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 16:42 . 2010-07-21 16:42 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-21 03:03 . 2010-07-21 03:03 -------- d-----w- c:\program files\RealTimeImage
    2010-07-13 19:55 . 2010-07-13 19:55 -------- d-----w- c:\program files\Carnivores 2
    2010-07-13 07:47 . 2010-07-13 07:47 -------- d-----w- c:\program files\Carnivores
    2010-07-13 06:20 . 2010-07-13 06:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-13 06:20 . 2010-07-13 06:20 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-07-13 04:09 . 2010-07-13 04:09 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-07-13 04:08 . 2010-07-13 04:10 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-07-13 04:08 . 2010-07-13 04:10 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\MSBuild
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\Reference Assemblies
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2 Upload Application
    2010-06-30 12:31 . 2004-08-04 09:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 04:13 . 2010-07-14 13:11 52224 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-30 04:13 . 2010-07-14 13:11 101376 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-25 18:37 . 2010-06-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-23 16:28 . 2010-06-23 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-06-23 13:44 . 2004-08-04 09:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 09:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 09:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 09:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-09 23:01 . 2010-07-13 04:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2010-07-13 04:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2010-07-13 04:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2010-07-13 04:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2010-07-13 04:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2010-07-13 04:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-06-09 19:58 . 2010-06-25 17:12 14336 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    2010-06-09 17:08 . 2010-06-09 17:08 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-28 23:22 . 2010-06-28 23:22 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .
    Code:
    <pre>
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe
</pre>
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-13 110592]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 16248320]
    "Acer ePower Management "= "c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
    "LManager "= "c:\progra~1\LAUNCH~1\LManager.exe" [N/A]
    "SunJavaUpdateSched "= "c:\program files\Common Files\Java\Java Update\jusched.exe" [N/A]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "AdobeCS4ServiceManager "= "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [N/A]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-20 282792]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Steam\\Steam.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "1032:TCP "= 1032:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/19/2010 9:11 PM 102856]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/19/2010 9:11 PM 79432]
    S2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/19/2010 9:11 PM 536232]
    S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/19/2010 9:11 PM 337064]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/19/2010 9:11 PM 135336]
    S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/19/2010 9:11 PM 405672]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/19/2010 4:47 PM 304464]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/19/2010 4:47 PM 20952]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/19/2010 5:49 PM 27064]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/13/2010 2:20 AM 691696]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MDMXSDK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://global.acer.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fsrc44yt.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-21 20:56
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1208)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(304)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2010-08-21 20:58:19
    ComboFix-quarantined-files.txt 2010-08-22 00:58
    ComboFix2.txt 2010-08-21 05:18
    ComboFix3.txt 2010-08-21 04:41

    Pre-Run: 104,831,516,672 bytes free
    Post-Run: 104,817,098,752 bytes free

    - - End Of File - - C2E9617B15E9454004832FB1C58CC6CF
     
    KStox,
    #17
  19. 2010/08/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\Realtek\InstallShield\AzMixerSel .exe
c:\program files\Synaptics\SynTP\SynTPEnh .exe
c:\program files\CyberLink\PowerDVD\PDVDServ .exe
c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
c:\program files\Launch Manager\LManager .exe
c:\program files\QuickTime\qttask                                                                    .exe
c:\program files\iTunes\iTunesHelper .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\windows\system32\rundll32 .exe
c:\windows\ime\imjp8_1\IMJPMIG .exe

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
    broni,
    #18
  20. 2010/08/21
    KStox

    KStox Inactive Thread Starter

    Joined:
    2010/08/19
    Messages:
    15
    Likes Received:
    0
    ComboFix 10-08-21.04 - Administrator 08/21/2010 21:31:21.7.2 - FAT32x86 NETWORK
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1362 [GMT -4:00]
    Running from: c:\documents and settings\user\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning enabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
    FW: Avira FireWall *enabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}

    FILE ::
    "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe "
    "c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe "
    "c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe "
    "c:\program files\Common Files\Java\Java Update\jusched .exe "
    "c:\program files\CyberLink\PowerDVD\PDVDServ .exe "
    "c:\program files\DivX\DivX Update\DivXUpdate .exe "
    "c:\program files\iTunes\iTunesHelper .exe "
    "c:\program files\Launch Manager\LManager .exe "
    "c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe "
    "c:\program files\QuickTime\qttask .exe "
    "c:\program files\Realtek\InstallShield\AzMixerSel .exe "
    "c:\program files\Synaptics\SynTP\SynTPEnh .exe "
    "c:\windows\ime\imjp8_1\IMJPMIG .exe "
    "c:\windows\system32\rundll32 .exe "
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
    c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager .exe
    c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier .exe
    c:\program files\Common Files\Java\Java Update\jusched .exe
    c:\program files\CyberLink\PowerDVD\PDVDServ .exe
    c:\program files\DivX\DivX Update\DivXUpdate .exe
    c:\program files\iTunes\iTunesHelper .exe
    c:\program files\Launch Manager\LManager .exe
    c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Realtek\InstallShield\AzMixerSel .exe
    c:\program files\Synaptics\SynTP\SynTPEnh .exe
    c:\windows\ime\imjp8_1\IMJPMIG .exe
    c:\windows\system32\rundll32 .exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-22 to 2010-08-22 )))))))))))))))))))))))))))))))
    .

    2010-08-21 16:18 . 2010-08-21 16:18 -------- d-----w- c:\windows\LastGood
    2010-08-21 03:51 . 2010-08-21 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Avira
    2010-08-21 03:36 . 2010-08-21 03:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-08-21 03:32 . 2010-08-21 03:32 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\drivers\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:44 153344 ----a-w- c:\windows\system32\dllcache\dmio.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
    2010-08-20 16:47 . 2008-04-13 17:36 10240 ----a-w- c:\windows\system32\dllcache\compbatt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-20 01:11 . 2010-08-20 01:04 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-20 01:11 . 2010-08-20 01:04 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-20 01:11 . 2010-08-20 01:04 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-20 01:11 . 2010-08-20 01:04 79432 ----a-w- c:\windows\system32\drivers\avfwim.sys
    2010-08-20 01:11 . 2010-08-20 01:04 102856 ----a-w- c:\windows\system32\drivers\avfwot.sys
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\program files\Avira
    2010-08-20 01:11 . 2010-08-20 01:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\documents and settings\user\Local Settings\Application Data\VS Revo Group
    2010-08-19 21:49 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
    2010-08-19 21:49 . 2010-08-19 21:49 -------- d-----w- c:\program files\VS Revo Group
    2010-08-19 20:48 . 2010-08-19 20:48 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-08-19 20:47 . 2010-08-19 20:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-19 20:47 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-19 18:50 . 2010-08-19 18:50 -------- d-----w- c:\documents and settings\user\Application Data\Avira
    2010-08-19 17:15 . 2010-08-19 17:15 -------- d-----w- c:\windows\Security Update for Windows XP (KB958644)
    2010-08-18 02:10 . 2010-08-18 02:10 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-18 01:59 . 2010-08-18 01:59 -------- d-----w- c:\documents and settings\user\Application Data\FreeFileViewer
    2010-08-18 01:49 . 2006-10-26 23:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
    2010-08-18 01:49 . 2006-10-26 23:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
    2010-08-18 01:47 . 2010-08-18 01:47 -------- d-----w- c:\program files\Microsoft Works
    2010-08-18 01:45 . 2010-08-18 01:45 -------- d-----w- c:\program files\Microsoft.NET
    2010-08-18 01:43 . 2010-08-18 01:43 -------- d-----w- c:\program files\Microsoft Visual Studio 8
    2010-08-18 01:42 . 2010-08-18 01:42 -------- d-----w- c:\windows\SHELLNEW
    2010-08-18 01:41 . 2010-08-18 01:41 -------- d-----r- C:\MSOCache
    2010-08-18 01:37 . 2010-08-18 01:37 -------- d-----w- C:\Microsoft Office 2007
    2010-08-15 23:48 . 2010-08-15 23:44 53632 ----a-w- c:\documents and settings\user\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-08-03 15:16 . 2010-08-03 15:16 -------- d-----w- c:\documents and settings\user\Application Data\ElevatedDiagnostics
    2010-08-02 04:29 . 2010-08-02 04:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2010-08-01 17:49 . 2010-08-01 17:49 -------- d-----w- C:\dragon oath
    2010-08-01 16:11 . 2010-08-01 16:12 -------- d-----w- c:\program files\Common Files\Skype
    2010-07-28 17:49 . 2010-07-28 17:49 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.17.8\SetupAdmin.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-22 00:47 . 2006-08-22 10:12 12 ----a-w- c:\windows\bthservsdp.dat
    2010-08-19 18:04 . 2009-12-31 16:12 94528 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-08-16 00:07 . 2010-01-04 23:24 1 ----a-w- c:\documents and settings\user\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2010-07-21 17:33 . 2010-07-21 17:33 -------- d-----w- c:\program files\iPod
    2010-07-21 17:27 . 2010-07-21 17:27 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.1.4\SetupAdmin.exe
    2010-07-21 16:42 . 2010-07-21 16:42 921440 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgemc.exe
    2010-07-21 16:42 . 2010-07-21 16:42 1615200 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll
    2010-07-21 16:42 . 2010-07-21 16:42 1107296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxpl.dll
    2010-07-21 16:42 . 2010-07-21 16:42 4368224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
    2010-07-21 03:03 . 2010-07-21 03:03 -------- d-----w- c:\program files\RealTimeImage
    2010-07-13 19:55 . 2010-07-13 19:55 -------- d-----w- c:\program files\Carnivores 2
    2010-07-13 07:47 . 2010-07-13 07:47 -------- d-----w- c:\program files\Carnivores
    2010-07-13 06:20 . 2010-07-13 06:20 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
    2010-07-13 06:20 . 2010-07-13 06:20 -------- d-----w- c:\program files\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\user\Application Data\DAEMON Tools Lite
    2010-07-13 06:19 . 2010-07-13 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
    2010-07-13 04:09 . 2010-07-13 04:09 52963 ----a-w- c:\documents and settings\All Users\Application Data\DivX\MSVC80CRTRedist\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 54073 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Qt4.5\Uninstaller.exe
    2010-07-13 04:09 . 2010-07-13 04:09 56969 ----a-w- c:\documents and settings\All Users\Application Data\DivX\ASPEncoder\Uninstaller.exe
    2010-07-13 04:08 . 2010-07-13 04:10 1062184 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\Resource.dll
    2010-07-13 04:08 . 2010-07-13 04:10 895256 ----a-w- c:\documents and settings\All Users\Application Data\DivX\Setup\DivXSetup.exe
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\MSBuild
    2010-07-02 14:51 . 2010-07-02 14:51 -------- d-----w- c:\program files\Reference Assemblies
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2
    2010-07-01 02:27 . 2010-07-01 02:27 -------- d-----w- c:\program files\PagePerfect 2 Upload Application
    2010-06-30 12:31 . 2004-08-04 09:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-30 04:13 . 2010-07-14 13:11 52224 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-06-30 04:13 . 2010-07-14 13:11 101376 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-06-25 18:37 . 2010-06-25 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
    2010-06-25 17:59 . 2010-06-25 17:59 -------- d-----w- c:\program files\Common Files\Macrovision Shared
    2010-06-23 16:28 . 2010-06-23 16:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
    2010-06-23 13:44 . 2004-08-04 09:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 09:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 09:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 09:00 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\HelpSvc.exe
    2010-06-14 07:41 . 2004-08-04 09:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-09 23:01 . 2010-07-13 04:10 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
    2010-06-09 23:01 . 2010-07-13 04:10 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
    2010-06-09 23:01 . 2010-07-13 04:10 45648 ------w- c:\windows\system32\drivers\PxHelp20.sys
    2010-06-09 23:01 . 2010-07-13 04:10 133616 ------w- c:\windows\system32\pxafs.dll
    2010-06-09 23:01 . 2010-07-13 04:10 126448 ------w- c:\windows\system32\pxinsi64.exe
    2010-06-09 23:01 . 2010-07-13 04:10 123888 ------w- c:\windows\system32\pxcpyi64.exe
    2010-06-09 19:58 . 2010-06-25 17:12 14336 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\2uihdpfd.default\extensions\radiobar@toolbar\components\toolbarhomewmp.dll
    2010-06-09 17:08 . 2010-06-09 17:08 71992 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.33.16.0\SetupAdmin.exe
    2010-06-28 23:22 . 2010-06-28 23:22 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray "= "c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
    "igfxhkcmd "= "c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
    "igfxpers "= "c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
    "SkyTel "= "SkyTel.EXE" [2006-05-16 2879488]
    "BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-13 110592]
    "IMJPMIG8.1 "= "c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002 "= "c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A "= "c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 16248320]
    "Acer ePower Management "= "c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
    "Adobe ARM "= "c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2010-07-16 141608]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "GrooveMonitor "= "c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
    "Malwarebytes' Anti-Malware "= "c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
    "avgnt "= "c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-20 282792]

    c:\documents and settings\user\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-1-17 618557]

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe "=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE "=
    "c:\\Program Files\\Steam\\Steam.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP "= 5353:TCP:Adobe CSI CS4
    "1032:TCP "= 1032:TCP:Akamai NetSession Interface
    "5000:UDP "= 5000:UDP:Akamai NetSession Interface

    R1 avfwot;avfwot;c:\windows\system32\drivers\avfwot.sys [8/19/2010 9:11 PM 102856]
    R3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\drivers\avfwim.sys [8/19/2010 9:11 PM 79432]
    S2 AntiVirFirewallService;Avira FireWall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [8/19/2010 9:11 PM 536232]
    S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [8/19/2010 9:11 PM 337064]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/19/2010 9:11 PM 135336]
    S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\avwebgrd.exe [8/19/2010 9:11 PM 405672]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/19/2010 4:47 PM 304464]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/19/2010 4:47 PM 20952]
    S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [8/19/2010 5:49 PM 27064]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [7/13/2010 2:20 AM 691696]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MDMXSDK

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    Akamai REG_MULTI_SZ Akamai
    .
    Contents of the 'Scheduled Tasks' folder

    2010-08-11 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://global.acer.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
    FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\fsrc44yt.default\
    FF - component: c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}\components\SkypeFfComponent.dll
    FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref ", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.renego_unrestricted_hosts ", " ");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.treat_unsafe_negotiation_as_broken ", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref( "security.ssl.require_safe_negotiation ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "ui.use_native_colors ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.lu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nu ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.nz ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbaam7a8h ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgberp4a5d4ar ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--p1ai ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.xn--mgbayh7gpa ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.IDN.whitelist.tel ", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.auth.force-generic-ntlm ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.proxy.type ", 5);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.count ", 24);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "network.buffer.cache.size ", 4096);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "dom.ipc.plugins.timeoutSecs ", 45);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "svg.smil.enabled ", false);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref( "accelerometer.enabled ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description ", "chrome://browser/locale/browser.properties ");
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "plugins.update.notifyUser ", false);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.nptest.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npswf32.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npctrl.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled.npqtplugin.dll ", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref( "dom.ipc.plugins.enabled ", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-LManager - c:\progra~1\LAUNCH~1\LManager.exe
    HKLM-Run-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
    HKLM-Run-AdobeCS4ServiceManager - c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-21 21:34
    Windows 5.1.2600 Service Pack 3 FAT NTAPI

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1208)
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    Completion time: 2010-08-21 21:36:17
    ComboFix-quarantined-files.txt 2010-08-22 01:36
    ComboFix2.txt 2010-08-22 00:58
    ComboFix3.txt 2010-08-21 05:18
    ComboFix4.txt 2010-08-21 04:41

    Pre-Run: 104,791,801,856 bytes free
    Post-Run: 104,768,831,488 bytes free

    - - End Of File - - 53D1CA346645F073C775C37023A21CE7
     
    KStox,
    #19
  21. 2010/08/21
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    Finally, the sucker gave up :)

    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start> "Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall "
    Click OK (Vista users - press Enter).
    Restart computer.

    ==============================================================

    Download OTL to your Desktop.

    * Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    * Under the Custom Scan box paste this in:



    netsvcs
    drivers32 /all
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\system32\*.wt
    %systemroot%\system32\*.ruy
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\system32\spool\prtprocs\w32x86\*.tmp
    %systemroot%\*. /mp /s
    /md5start
    /md5stop
    CREATERESTOREPOINT
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\user32.dll /md5
    %systemroot%\system32\ws2_32.dll /md5
    %systemroot%\system32\ws2help.dll /md5
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



    * Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
    broni,
    #20
Page 1 of 2

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...