PDA

View Full Version : Laptop Becomes Extremely Slow - 100% CPU



kingsfanatic32
2009-12-02, 04:00
When I restart it is fine for 20-30 minutes and then I notice a dramatic decrease in performance and it is nearly impossible to change tabs, load any programs or even pull up Task Manager. I've tried to restart a few times and it would get stuck. Not positive if this helps. Thanks in advance.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:44, on 2009-12-01
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fiedler\My Documents\Downloads\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - (no file)
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [IJNetworkScanUtility] C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Policies\Explorer\Run: [{6C83327C-07CD-1033-0609-061201050001}] "C:\Program Files\Common Files\{6C83327C-07CD-1033-0609-061201050001}\Update.exe" mc-110-12-0000140
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{6C83327C-07CD-1033-0609-061201050001}] "C:\Program Files\Common Files\{6C83327C-07CD-1033-0609-061201050001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{6C83327C-07CD-1033-0609-061201050001}] "C:\Program Files\Common Files\{6C83327C-07CD-1033-0609-061201050001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Labs Licensing Service - Unknown owner - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe (file missing)
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpcEnum - Unknown owner - C:\WINDOWS\system32\OpcEnum.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\rtesekixos.html
O24 - Desktop Component 1: (no name) - C:\Program Files\Outlook Express\rtesekixos.html
O24 - Desktop Component 2: (no name) - C:\Program Files\Internet Explorer\rtesekixos.html

--
End of file - 9450 bytes

Blade81
2009-12-04, 19:31
Hi,

Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt

Save both reports to your desktop. Post them back to your topic.

kingsfanatic32
2009-12-04, 23:20
Okay, I ran the DDS. Here are the Attach and DDS logs.

1. DDS.txt


DDS (Ver_09-12-01.01) - NTFSx86
Run by Fiedler at 13:16:38.04 on 2009-12-04
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1481 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Fiedler\My Documents\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {B9F6E8EB-A4E3-478E-88A4-D3995B5C45C8} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
uExplorerRun: [{6C83327C-07CD-1033-0609-061201050001}] "c:\program files\common files\{6c83327c-07cd-1033-0609-061201050001}\Update.exe" mc-110-12-0000140
dExplorerRun: [{6C83327C-07CD-1033-0609-061201050001}] "c:\program files\common files\{6c83327c-07cd-1033-0609-061201050001}\Update.exe" mc-110-12-0000137
StartupFolder: c:\docume~1\fiedler\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\fiedler\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fiedler\applic~1\mozilla\firefox\profiles\d18w54mv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|https://calmail.berkeley.edu/|http://berkeley.facebook.com/
FF - prefs.js: network.proxy.http - 128.135.11.149
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\fiedler\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\fiedler\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 ashgdmoen;ashgdmoen;\??\c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys --> c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys [?]
S3 csiehhx;csiehhx;\??\c:\asdfghjkl\csiehhx.sys --> c:\asdfghjkl\csiehhx.sys [?]
S3 dxtbhzudb;dxtbhzudb;\??\c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys --> c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys [?]
S3 eagklrceog;eagklrceog;\??\c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys --> c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys [?]
S3 llqrdbg;llqrdbg;\??\c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys --> c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 mnkjnnvajl;mnkjnnvajl;\??\c:\jumpalong\mnkjnnvajl.sys --> c:\jumpalong\mnkjnnvajl.sys [?]
S3 njjm;njjm;\??\c:\documents and settings\fiedler\desktop\nest\njjm.sys --> c:\documents and settings\fiedler\desktop\nest\njjm.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 nsljlt;nsljlt;\??\c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys --> c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys [?]
S3 oqktch;oqktch;\??\c:\documents and settings\fiedler\desktop\nest\oqktch.sys --> c:\documents and settings\fiedler\desktop\nest\oqktch.sys [?]
S3 rhgerbrys;rhgerbrys;\??\c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys --> c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys [?]
S3 rutugvv;rutugvv;\??\c:\documents and settings\fiedler\desktop\nest\rutugvv.sys --> c:\documents and settings\fiedler\desktop\nest\rutugvv.sys [?]
S3 rwaocbkoct;rwaocbkoct;c:\documents and settings\fiedler\my documents\superbg\rwaocbkoct.sys [2009-2-25 31232]
S3 ubxx;ubxx;\??\c:\documents and settings\fiedler\desktop\nest\ubxx.sys --> c:\documents and settings\fiedler\desktop\nest\ubxx.sys [?]
S3 zizu;zizu;\??\c:\documents and settings\fiedler\desktop\nest\zizu.sys --> c:\documents and settings\fiedler\desktop\nest\zizu.sys [?]

=============== Created Last 30 ================

2009-11-30 08:21:59 0 d-----w- c:\docume~1\fiedler\applic~1\Uniblue
2009-11-27 19:31:29 0 d-----w- c:\docume~1\fiedler\applic~1\Registry Mechanic
2009-11-27 19:11:43 0 d-----w- c:\program files\Defraggler
2009-11-05 02:55:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-05 02:55:33 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:03:24 60633 ----a-w- c:\windows\system32\nvModes.dat
2008-05-03 05:55:41 0 -c-h--w- c:\program files\AppUpdate.log
2008-10-06 04:34:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 13:16:56.06 ===============

and

2. Attach.txt (It said to zip up and attach but you said to post it so I'm doing that as you asked)


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 2006-10-09 22:27:55
System Uptime: 2009-12-04 12:52:45 (1 hours ago)

Motherboard: Dell Inc. | | 0YD479
Processor: Genuine Intel(R) CPU T2500 @ 2.00GHz | Microprocessor | 1997/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 93 GiB total, 32.824 GiB free.
D: is CDROM ()
F: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.7
Adobe Shockwave Player 11
Advertising Center
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.6
AutoUpdate
BlackBerry Desktop Software 5.0.1
BlackBerry Media Sync
BlackBerry® Media Sync
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
Canon IJ Network Scan Utility
Canon IJ Network Tool
Canon MP Navigator EX 2.1
Canon MX860 series MP Drivers
Canon MX860 series User Registration
Canon Utilities My Printer
Chinese Simplified Fonts Support For Adobe Reader 8
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Defraggler
Dell Photo AIO Printer 924
Dell Wireless WLAN Card
Digsby
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DriverAgent by eSupport.com
ERUNT 1.1j
FoxyTunes for Firefox
FrostWire 4.18.3
Garena
Google Toolbar for Firefox
HandBrake 0.9.3
Hero Editor V0.96
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
HP Deskjet 3740 Series
IrfanView (remove only)
iTunes
IVI Shared Component
IVI Shared Components
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java(TM) 6 Update 17
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
LADSPA_plugins-win-0.4.15
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mixer
MobileMe Control Panel
MoRUN.net Sticker
Mozilla Firefox (3.5.5)
Mp3tag v2.44
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 9 Essentials
Nero ControlCenter
Nero Installer
Nero Online Upgrade
Nero StartSmart
Nero StartSmart OEM
neroxml
Net Chess 6
NVIDIA Drivers
NVIDIA PhysX
Octoshape add-in for Adobe Flash Player
OpenOffice.org 2.3
QuickTime
RealPlayer
Ringtone Ripper
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
SigmaTel Audio
Sound Blaster Audigy ADVANCED MB Demo
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Star Wars Galactic Battlegrounds
Star Wars Galactic Battlegrounds: Clone Campaigns
Starcraft
Steam
Synaptics Pointing Device Driver
TBS WMP Plug-in
Trillian
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
VeohTV BETA
VLC media player 1.0.1
Warcraft III: All Products
WC3Banlist
WeatherBug
WebFldrs XP
Windows Driver Package - Ricoh Company (rimsptsk) hdc (11/14/2006 6.00.01.04)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
XChange 360

==== Event Viewer Messages From Past Week ========

2009-12-01 12:05:20, error: Service Control Manager [7000] - The McAfee Real-time Scanner service failed to start due to the following error: The system cannot find the path specified.
2009-12-01 12:05:20, error: Service Control Manager [7000] - The Creative Labs Licensing Service service failed to start due to the following error: The system cannot find the path specified.
2009-12-01 11:57:10, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the Dnscache service.
2009-12-01 01:51:15, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2009-12-01 01:50:23, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
2009-12-01 01:49:57, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2009-12-01 00:33:02, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
2009-12-01 00:27:52, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
2009-12-01 00:27:11, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
2009-12-01 00:09:35, error: Service Control Manager [7031] - The Nero BackItUp Scheduler 4.0 service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 500 milliseconds: Restart the service.
2009-12-01 00:05:50, error: Service Control Manager [7034] - The DNS Client service terminated unexpectedly. It has done this 1 time(s).
2009-11-30 09:49:11, error: Service Control Manager [7034] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 3 time(s).
2009-11-30 09:47:38, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2009-11-30 09:46:36, error: Service Control Manager [7031] - The McAfee Real-time Scanner service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
2009-11-30 00:49:14, error: Service Control Manager [7034] - The PC Tools Startup and Shutdown Monitor service service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Thanks for the response! Let's see if we can fix this up.

Blade81
2009-12-04, 23:32
Hi,

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Frostwire


I'd like you to read this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

kingsfanatic32
2009-12-05, 00:21
Okay, I uninstalled what you asked. Up first is the ComboFix Log and thereafter a new DDS log.

ComboFix 09-12-03.06 - Fiedler 2009-12-04 13:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1608 [GMT -8:00]
Running from: c:\documents and settings\Fiedler\My Documents\Downloads\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Fiedler\Application Data\Dxcknwrd.dll
c:\documents and settings\Fiedler\Application Data\Dxcuknwrd.dll
c:\documents and settings\Fiedler\Local Settings\Temporary Internet Files\Dxc.log
c:\program files\NetMeeting\rtesekixos.html
c:\program files\Outlook Express\rtesekixos.html
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\drivers\1028_DELL_XPS_MP061 .MRK
c:\windows\system32\drivers\DELL_XPS_MP061 .MRK
c:\windows\system32\micro1

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LNK


((((((((((((((((((((((((( Files Created from 2009-11-04 to 2009-12-04 )))))))))))))))))))))))))))))))
.

2009-12-04 09:14 . 2006-12-11 18:20 180224 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2009-12-04 09:14 . 2006-12-11 18:20 983829 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2009-12-04 09:14 . 2006-12-11 18:20 72192 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2009-12-04 09:14 . 2006-12-11 18:20 72192 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2009-12-04 09:14 . 2006-12-11 18:20 325 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2009-12-04 09:14 . 2006-12-11 18:20 15 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2009-12-04 09:14 . 2006-12-11 18:20 40960 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2009-12-02 01:42 . 2009-12-02 01:42 -------- d-----w- c:\program files\ERUNT
2009-11-30 08:21 . 2009-11-30 08:21 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Uniblue
2009-11-27 19:31 . 2009-11-30 18:11 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Registry Mechanic
2009-11-27 19:11 . 2009-11-27 19:12 -------- d-----w- c:\program files\Defraggler
2009-11-05 02:55 . 2001-08-18 06:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-05 02:55 . 2008-04-14 01:12 159232 ----a-w- c:\windows\system32\ptpusd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 10:35 . 2009-08-30 03:01 -------- d-----w- c:\documents and settings\Fiedler\Application Data\vlc
2009-12-04 09:13 . 2006-10-10 07:04 -------- d-----w- c:\documents and settings\Fiedler\Application Data\U3
2009-12-01 08:33 . 2007-03-22 10:55 -------- d--h--w- c:\documents and settings\Fiedler\Application Data\Move Networks
2009-11-30 18:26 . 2009-01-04 07:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-30 17:59 . 2007-04-25 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 17:58 . 2007-04-25 17:56 -------- d-----w- c:\program files\McAfee.com
2009-11-27 19:47 . 2007-04-19 04:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-26 00:55 . 2007-04-28 07:01 -------- d-----w- c:\documents and settings\Fiedler\Application Data\FrostWire
2009-11-19 20:44 . 2006-10-10 06:58 24568 ----a-w- c:\documents and settings\Fiedler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 08:06 . 2008-08-01 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-18 08:06 . 2008-08-01 00:31 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-18 07:56 . 2008-08-01 00:22 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-18 07:48 . 2008-08-01 19:40 256 ----a-w- c:\windows\system32\pool.bin
2009-11-11 11:19 . 2007-01-17 05:00 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-05 02:56 . 2006-10-12 21:23 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-11-04 23:23 . 2009-11-04 20:14 -------- d-----w- c:\documents and settings\Fiedler\Application Data\dvdcss
2009-11-04 20:06 . 2009-01-06 00:53 -------- d-----w- c:\program files\World of Warcraft
2009-11-03 22:09 . 2006-10-16 22:18 -------- d-----w- c:\program files\Java
2009-11-03 22:07 . 2009-11-03 22:07 152576 ----a-w- c:\documents and settings\Fiedler\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 00:23 . 2008-04-16 22:40 -------- d-----w- c:\program files\Mp3tag
2009-11-01 17:06 . 2009-11-01 17:05 -------- d-----w- c:\program files\iTunes
2009-11-01 17:06 . 2009-11-01 17:06 -------- d-----w- c:\program files\iPod
2009-11-01 17:06 . 2007-07-09 17:10 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 17:00 . 2009-11-01 17:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-21 21:22 . 2009-01-07 22:50 -------- d-----w- c:\program files\Curse
2009-10-19 17:20 . 2006-10-11 04:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 12:17 . 2008-12-05 08:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 05:00 . 2009-10-10 04:59 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Nero
2009-10-10 04:54 . 2009-10-10 04:52 -------- d-----w- c:\program files\Common Files\Nero
2009-10-10 04:54 . 2009-10-10 04:52 -------- d-----w- c:\program files\Nero
2009-10-10 04:53 . 2009-10-10 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-09-11 14:18 . 2004-08-04 07:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:03 . 2006-10-10 07:26 60633 ----a-w- c:\windows\system32\nvModes.dat
2008-05-03 05:55 . 2008-05-03 05:55 0 -c-h--w- c:\program files\AppUpdate.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-10 185784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2009-01-30 90112]

[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{6C83327C-07CD-1033-0609-061201050001}"="c:\program files\Common Files\{6C83327C-07CD-1033-0609-061201050001}\Update.exe mc-110-12-0000140" [X]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{6C83327C-07CD-1033-0609-061201050001}"="c:\program files\Common Files\{6C83327C-07CD-1033-0609-061201050001}\Update.exe mc-110-12-0000137" [X]

c:\documents and settings\Fiedler\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler.exe [2008-6-27 256000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Steam\\steamapps\\acballer32\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Fiedler\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-02-27 646392]
S3 ashgdmoen;ashgdmoen;\??\c:\documents and settings\Fiedler\Desktop\Nest\ashgdmoen.sys --> c:\documents and settings\Fiedler\Desktop\Nest\ashgdmoen.sys [?]
S3 csiehhx;csiehhx;\??\c:\asdfghjkl\csiehhx.sys --> c:\asdfghjkl\csiehhx.sys [?]
S3 dxtbhzudb;dxtbhzudb;\??\c:\documents and settings\Fiedler\Desktop\Copy of Nest\dxtbhzudb.sys --> c:\documents and settings\Fiedler\Desktop\Copy of Nest\dxtbhzudb.sys [?]
S3 eagklrceog;eagklrceog;\??\c:\documents and settings\Fiedler\My Documents\SuperMusic\eagklrceog.sys --> c:\documents and settings\Fiedler\My Documents\SuperMusic\eagklrceog.sys [?]
S3 llqrdbg;llqrdbg;\??\c:\documents and settings\Fiedler\Desktop\Nest\llqrdbg.sys --> c:\documents and settings\Fiedler\Desktop\Nest\llqrdbg.sys [?]
S3 mnkjnnvajl;mnkjnnvajl;\??\c:\jumpalong\mnkjnnvajl.sys --> c:\jumpalong\mnkjnnvajl.sys [?]
S3 njjm;njjm;\??\c:\documents and settings\Fiedler\Desktop\Nest\njjm.sys --> c:\documents and settings\Fiedler\Desktop\Nest\njjm.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S3 nsljlt;nsljlt;\??\c:\documents and settings\Fiedler\Desktop\Copy of Nest\nsljlt.sys --> c:\documents and settings\Fiedler\Desktop\Copy of Nest\nsljlt.sys [?]
S3 oqktch;oqktch;\??\c:\documents and settings\Fiedler\Desktop\Nest\oqktch.sys --> c:\documents and settings\Fiedler\Desktop\Nest\oqktch.sys [?]
S3 rhgerbrys;rhgerbrys;\??\c:\documents and settings\Fiedler\Desktop\Nest\rhgerbrys.sys --> c:\documents and settings\Fiedler\Desktop\Nest\rhgerbrys.sys [?]
S3 rutugvv;rutugvv;\??\c:\documents and settings\Fiedler\Desktop\Nest\rutugvv.sys --> c:\documents and settings\Fiedler\Desktop\Nest\rutugvv.sys [?]
S3 rwaocbkoct;rwaocbkoct;c:\documents and settings\Fiedler\My Documents\SuperBG\rwaocbkoct.sys [2009-02-25 31232]
S3 ubxx;ubxx;\??\c:\documents and settings\Fiedler\Desktop\Nest\ubxx.sys --> c:\documents and settings\Fiedler\Desktop\Nest\ubxx.sys [?]
S3 zizu;zizu;\??\c:\documents and settings\Fiedler\Desktop\Nest\zizu.sys --> c:\documents and settings\Fiedler\Desktop\Nest\zizu.sys [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c666524a-c6a3-11db-9e75-001422f8f906}]
\Shell\AutoRun\command - F:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|https://calmail.berkeley.edu/|http://berkeley.facebook.com/
FF - prefs.js: network.proxy.http - 128.135.11.149
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\AskBarDis\bar\bin\askBar.dll
Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Dell\Dell Wireless WLAN Card\bcmwlu00.exe verbose
AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-NVIDIA Drivers - c:\windows\system32\nvuninst.exe UninstallGUI
AddRemove-RealJukebox 1.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-RealPlayer 6.0 - c:\program files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
AddRemove-ShockwaveFlash - c:\windows\system32\Macromed\Flash\FlashUtil9c.exe
AddRemove-{0a19d35f-c780-4bc9-8855-373d171f60cf} - c:\program files\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER=XM02-508X-MHAT-19WU-9Z3Z-0CH0-3U6E-85W5-MMHH-6647-1Z5L-7M8C-0U45-758P-0000



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-04 13:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys sptd.sys hal.dll >>UNKNOWN [0x8A87B7B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7e8dcb8
\Driver\atapi -> atapi.sys @ 0xb7e22b40
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7d18bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d07a0d
SendHandler -> NDIS.sys @ 0xb7d1bb40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-2052111302-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d6,0a,ab,e8,1a,23,47,b2,95,61,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d6,0a,ab,e8,1a,23,47,b2,95,61,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-04 13:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-04 21:58

Pre-Run: 35,143,630,848 bytes free
Post-Run: 35,407,978,496 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 7E477E355F9ACAD13C9C9F2589968CCF

2. now the DDS


DDS (Ver_09-12-01.01) - NTFSx86
Run by Fiedler at 14:19:23.93 on 2009-12-04
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1449 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Fiedler\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
uExplorerRun: [{6C83327C-07CD-1033-0609-061201050001}] "c:\program files\common files\{6c83327c-07cd-1033-0609-061201050001}\Update.exe" mc-110-12-0000140
dExplorerRun: [{6C83327C-07CD-1033-0609-061201050001}] "c:\program files\common files\{6c83327c-07cd-1033-0609-061201050001}\Update.exe" mc-110-12-0000137
StartupFolder: c:\docume~1\fiedler\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\fiedler\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fiedler\applic~1\mozilla\firefox\profiles\d18w54mv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|https://calmail.berkeley.edu/|http://berkeley.facebook.com/
FF - prefs.js: network.proxy.http - 128.135.11.149
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 ashgdmoen;ashgdmoen;\??\c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys --> c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys [?]
S3 csiehhx;csiehhx;\??\c:\asdfghjkl\csiehhx.sys --> c:\asdfghjkl\csiehhx.sys [?]
S3 dxtbhzudb;dxtbhzudb;\??\c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys --> c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys [?]
S3 eagklrceog;eagklrceog;\??\c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys --> c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys [?]
S3 llqrdbg;llqrdbg;\??\c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys --> c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 mnkjnnvajl;mnkjnnvajl;\??\c:\jumpalong\mnkjnnvajl.sys --> c:\jumpalong\mnkjnnvajl.sys [?]
S3 njjm;njjm;\??\c:\documents and settings\fiedler\desktop\nest\njjm.sys --> c:\documents and settings\fiedler\desktop\nest\njjm.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 nsljlt;nsljlt;\??\c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys --> c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys [?]
S3 oqktch;oqktch;\??\c:\documents and settings\fiedler\desktop\nest\oqktch.sys --> c:\documents and settings\fiedler\desktop\nest\oqktch.sys [?]
S3 rhgerbrys;rhgerbrys;\??\c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys --> c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys [?]
S3 rutugvv;rutugvv;\??\c:\documents and settings\fiedler\desktop\nest\rutugvv.sys --> c:\documents and settings\fiedler\desktop\nest\rutugvv.sys [?]
S3 rwaocbkoct;rwaocbkoct;c:\documents and settings\fiedler\my documents\superbg\rwaocbkoct.sys [2009-2-25 31232]
S3 ubxx;ubxx;\??\c:\documents and settings\fiedler\desktop\nest\ubxx.sys --> c:\documents and settings\fiedler\desktop\nest\ubxx.sys [?]
S3 zizu;zizu;\??\c:\documents and settings\fiedler\desktop\nest\zizu.sys --> c:\documents and settings\fiedler\desktop\nest\zizu.sys [?]

=============== Created Last 30 ================

2009-12-04 21:41:43 0 d-sha-r- C:\cmdcons
2009-12-04 21:40:15 77312 ----a-w- c:\windows\MBR.exe
2009-12-04 21:40:15 260608 ----a-w- c:\windows\PEV.exe
2009-12-04 21:40:14 98816 ----a-w- c:\windows\sed.exe
2009-12-04 21:40:14 161792 ----a-w- c:\windows\SWREG.exe
2009-11-30 08:21:59 0 d-----w- c:\docume~1\fiedler\applic~1\Uniblue
2009-11-27 19:31:29 0 d-----w- c:\docume~1\fiedler\applic~1\Registry Mechanic
2009-11-27 19:11:43 0 d-----w- c:\program files\Defraggler
2009-11-05 02:55:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-05 02:55:33 159232 ----a-w- c:\windows\system32\ptpusd.dll

==================== Find3M ====================

2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:03:24 60633 ----a-w- c:\windows\system32\nvModes.dat
2008-05-03 05:55:41 0 -c-h--w- c:\program files\AppUpdate.log
2008-10-06 04:34:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 14:19:41.79 ===============

If you wanted the Attach.txt again as well, let me know.

Blade81
2009-12-05, 12:43
Hi again,


Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.

Double click DeFogger to run the tool.
The application window will appear Click the Disable button to disable your CD Emulation drivers. Click Yes to continue A 'Finished!' message will appear Click OK DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


Open notepad and copy/paste the text in the quotebox below into it:



DDS::
BHO: {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No File
BHO: {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - No File
Driver::
ashgdmoen
csiehhx
dxtbhzudb
eagklrceog
llqrdbg
mnkjnnvajl
njjm
nsljlt
oqktch
rhgerbrys
rutugvv
rwaocbkoct
ubxx
zizu
File::
c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys
c:\asdfghjkl\csiehhx.sys
c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys
c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys
c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys
c:\jumpalong\mnkjnnvajl.sys
c:\documents and settings\fiedler\desktop\nest\njjm.sys
c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys
c:\documents and settings\fiedler\desktop\nest\oqktch.sys
c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys
c:\documents and settings\fiedler\desktop\nest\rutugvv.sys
c:\documents and settings\fiedler\my documents\superbg\rwaocbkoct.sys
c:\documents and settings\fiedler\desktop\nest\ubxx.sys
c:\documents and settings\fiedler\desktop\nest\zizu.sys
Folder::
c:\documents and settings\Fiedler\Application Data\FrostWire
Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{6C83327C-07CD-1033-0609-061201050001}"=-
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{6C83327C-07CD-1033-0609-061201050001}"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.



Uninstall your current Adobe shockwave player and get the fresh one here (http://get.adobe.com/shockwave/) if needed.

Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).


Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

kingsfanatic32
2009-12-06, 02:50
Here are the 3 logs requested.

ComboFix 09-12-04.04 - Fiedler 2009-12-05 4:54.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1397 [GMT -8:00]
Running from: c:\documents and settings\Fiedler\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Fiedler\Desktop\CFScript.txt

FILE ::
"c:\asdfghjkl\csiehhx.sys"
"c:\documents and settings\fiedler\desktop\copy of nest\dxtbhzudb.sys"
"c:\documents and settings\fiedler\desktop\copy of nest\nsljlt.sys"
"c:\documents and settings\fiedler\desktop\nest\ashgdmoen.sys"
"c:\documents and settings\fiedler\desktop\nest\llqrdbg.sys"
"c:\documents and settings\fiedler\desktop\nest\njjm.sys"
"c:\documents and settings\fiedler\desktop\nest\oqktch.sys"
"c:\documents and settings\fiedler\desktop\nest\rhgerbrys.sys"
"c:\documents and settings\fiedler\desktop\nest\rutugvv.sys"
"c:\documents and settings\fiedler\desktop\nest\ubxx.sys"
"c:\documents and settings\fiedler\desktop\nest\zizu.sys"
"c:\documents and settings\fiedler\my documents\superbg\rwaocbkoct.sys"
"c:\documents and settings\fiedler\my documents\supermusic\eagklrceog.sys"
"c:\jumpalong\mnkjnnvajl.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Fiedler\Application Data\FrostWire
c:\documents and settings\Fiedler\Application Data\FrostWire\.NetworkShare\LimeWireWin4.16.6.exe
c:\documents and settings\Fiedler\Application Data\FrostWire\checkandupdate.txt
c:\documents and settings\Fiedler\Application Data\FrostWire\createtimes.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\data.ser
c:\documents and settings\Fiedler\Application Data\FrostWire\downloads.dat
c:\documents and settings\Fiedler\Application Data\FrostWire\fileurns.bak
c:\documents and settings\Fiedler\Application Data\FrostWire\fileurns.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\filters.props
c:\documents and settings\Fiedler\Application Data\FrostWire\frostwire.props
c:\documents and settings\Fiedler\Application Data\FrostWire\gnutella.net
c:\documents and settings\Fiedler\Application Data\FrostWire\installation.props
c:\documents and settings\Fiedler\Application Data\FrostWire\intent.props
c:\documents and settings\Fiedler\Application Data\FrostWire\library.dat
c:\documents and settings\Fiedler\Application Data\FrostWire\mojito.props
c:\documents and settings\Fiedler\Application Data\FrostWire\overlays.dat
c:\documents and settings\Fiedler\Application Data\FrostWire\overlays\default.png
c:\documents and settings\Fiedler\Application Data\FrostWire\overlays\frostclick_default_overlay.jpg
c:\documents and settings\Fiedler\Application Data\FrostWire\pub1.key
c:\documents and settings\Fiedler\Application Data\FrostWire\public.key
c:\documents and settings\Fiedler\Application Data\FrostWire\questions.props
c:\documents and settings\Fiedler\Application Data\FrostWire\responses.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\secureMessage.key
c:\documents and settings\Fiedler\Application Data\FrostWire\seenMessages.dat
c:\documents and settings\Fiedler\Application Data\FrostWire\simpp.xml
c:\documents and settings\Fiedler\Application Data\FrostWire\spam.dat
c:\documents and settings\Fiedler\Application Data\FrostWire\tables.props
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwire_theme.skin
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwire_theme\kill.png
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwire_theme\kill_on.png
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwire_theme\theme.txt
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwirePro_theme.fwtp
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwirePro_theme\theme.txt
c:\documents and settings\Fiedler\Application Data\FrostWire\themes\frostwirePro_theme\version.txt
c:\documents and settings\Fiedler\Application Data\FrostWire\ttree.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\ttrees.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\ttroot.cache
c:\documents and settings\Fiedler\Application Data\FrostWire\version.key
c:\documents and settings\Fiedler\Application Data\FrostWire\version.xml
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\data\audio.sxml2
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\data\delete_me
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\data\video.sxml2
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\misc\application.gif
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\misc\audio.gif
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\misc\document.gif
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\misc\image.gif
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\misc\video.gif
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\schemas\application.xsd
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\schemas\audio.xsd
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\schemas\document.xsd
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\schemas\image.xsd
c:\documents and settings\Fiedler\Application Data\FrostWire\xml\schemas\video.xsd
c:\documents and settings\fiedler\my documents\superbg\rwaocbkoct.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ASHGDMOEN
-------\Legacy_CSIEHHX
-------\Legacy_DXTBHZUDB
-------\Legacy_EAGKLRCEOG
-------\Legacy_LLQRDBG
-------\Legacy_MNKJNNVAJL
-------\Legacy_NJJM
-------\Legacy_NSLJLT
-------\Legacy_OQKTCH
-------\Legacy_RHGERBRYS
-------\Legacy_RUTUGVV
-------\Legacy_RWAOCBKOCT
-------\Legacy_UBXX
-------\Legacy_ZIZU
-------\Service_ashgdmoen
-------\Service_csiehhx
-------\Service_dxtbhzudb
-------\Service_eagklrceog
-------\Service_llqrdbg
-------\Service_mnkjnnvajl
-------\Service_njjm
-------\Service_nsljlt
-------\Service_oqktch
-------\Service_rhgerbrys
-------\Service_rutugvv
-------\Service_rwaocbkoct
-------\Service_ubxx
-------\Service_zizu


((((((((((((((((((((((((( Files Created from 2009-11-05 to 2009-12-05 )))))))))))))))))))))))))))))))
.

2009-12-04 09:14 . 2006-12-11 18:20 180224 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\U3AppWrapper.exe
2009-12-04 09:14 . 2006-12-11 18:20 983829 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\master.exe
2009-12-04 09:14 . 2006-12-11 18:20 72192 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKLIST.EXE
2009-12-04 09:14 . 2006-12-11 18:20 72192 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\TASKKILL.EXE
2009-12-04 09:14 . 2006-12-11 18:20 325 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\stopApp.bat
2009-12-04 09:14 . 2006-12-11 18:20 15 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\run_me.bat
2009-12-04 09:14 . 2006-12-11 18:20 40960 ----a-w- c:\documents and settings\Fiedler\Application Data\U3\0000184F74700119\79EB5C19-AB0E-4dd7-BE89-BF96301D35Z8\Exec\appstop.exe
2009-12-02 01:42 . 2009-12-02 01:42 -------- d-----w- c:\program files\ERUNT
2009-11-30 08:21 . 2009-11-30 08:21 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Uniblue
2009-11-27 19:31 . 2009-11-30 18:11 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Registry Mechanic
2009-11-27 19:11 . 2009-11-27 19:12 -------- d-----w- c:\program files\Defraggler

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-04 10:35 . 2009-08-30 03:01 -------- d-----w- c:\documents and settings\Fiedler\Application Data\vlc
2009-12-04 09:13 . 2006-10-10 07:04 -------- d-----w- c:\documents and settings\Fiedler\Application Data\U3
2009-12-01 08:33 . 2007-03-22 10:55 -------- d--h--w- c:\documents and settings\Fiedler\Application Data\Move Networks
2009-11-30 18:26 . 2009-01-04 07:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-30 17:59 . 2007-04-25 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-30 17:58 . 2007-04-25 17:56 -------- d-----w- c:\program files\McAfee.com
2009-11-27 19:47 . 2007-04-19 04:37 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-19 20:44 . 2006-10-10 06:58 24568 ----a-w- c:\documents and settings\Fiedler\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-11-18 08:06 . 2008-08-01 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2009-11-18 08:06 . 2008-08-01 00:31 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-18 07:56 . 2008-08-01 00:22 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-18 07:48 . 2008-08-01 19:40 256 ----a-w- c:\windows\system32\pool.bin
2009-11-11 11:19 . 2007-01-17 05:00 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2009-11-05 02:56 . 2006-10-12 21:23 -------- d-----w- c:\program files\Abbyy FineReader 6.0 Sprint
2009-11-04 23:23 . 2009-11-04 20:14 -------- d-----w- c:\documents and settings\Fiedler\Application Data\dvdcss
2009-11-04 20:06 . 2009-01-06 00:53 -------- d-----w- c:\program files\World of Warcraft
2009-11-03 22:09 . 2006-10-16 22:18 -------- d-----w- c:\program files\Java
2009-11-03 22:07 . 2009-11-03 22:07 152576 ----a-w- c:\documents and settings\Fiedler\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-03 00:23 . 2008-04-16 22:40 -------- d-----w- c:\program files\Mp3tag
2009-11-01 17:06 . 2009-11-01 17:05 -------- d-----w- c:\program files\iTunes
2009-11-01 17:06 . 2009-11-01 17:06 -------- d-----w- c:\program files\iPod
2009-11-01 17:06 . 2007-07-09 17:10 -------- d-----w- c:\program files\Common Files\Apple
2009-11-01 17:00 . 2009-11-01 17:00 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-10-21 21:22 . 2009-01-07 22:50 -------- d-----w- c:\program files\Curse
2009-10-19 17:20 . 2006-10-11 04:11 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-11 12:17 . 2008-12-05 08:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 05:00 . 2009-10-10 04:59 -------- d-----w- c:\documents and settings\Fiedler\Application Data\Nero
2009-10-10 04:54 . 2009-10-10 04:52 -------- d-----w- c:\program files\Common Files\Nero
2009-10-10 04:54 . 2009-10-10 04:52 -------- d-----w- c:\program files\Nero
2009-10-10 04:53 . 2009-10-10 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Nero
2009-09-11 14:18 . 2004-08-04 07:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:03 . 2006-10-10 07:26 60633 ----a-w- c:\windows\system32\nvModes.dat
2008-05-03 05:55 . 2008-05-03 05:55 0 -c-h--w- c:\program files\AppUpdate.log
.

((((((((((((((((((((((((((((( SnapShot@2009-12-04_21.51.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-12-05 13:03 . 2009-12-05 13:03 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
+ 2009-12-05 12:47 . 2009-12-05 12:47 262144 c:\windows\ERDNT\AutoBackup\2009-12-05\Users\00000002\UsrClass.dat
+ 2009-12-05 12:47 . 2005-10-20 20:02 163328 c:\windows\ERDNT\AutoBackup\2009-12-05\ERDNT.EXE
+ 2009-12-05 12:47 . 2009-12-05 12:47 11206656 c:\windows\ERDNT\AutoBackup\2009-12-05\Users\00000001\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="c:\program files\AWS\WeatherBug\Weather.exe" [2007-08-29 1347584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-10-10 185784]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2009-10-03 39792]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-10-10 2183168]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-30 1657376]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2009-01-30 90112]

c:\documents and settings\Fiedler\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
PowerReg Scheduler.exe [2008-6-27 256000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Steam\\steamapps\\acballer32\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Fiedler\\Local Settings\\Application Data\\Dyyno Receiver\\DPPM.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [2007-02-27 646392]
.
Contents of the 'Scheduled Tasks' folder

2009-12-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|https://calmail.berkeley.edu/|http://berkeley.facebook.com/
FF - prefs.js: network.proxy.http - 128.135.11.149
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\Fiedler\Application Data\Mozilla\Firefox\Profiles\d18w54mv.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\Common Files\Research In Motion\BBWebSLLauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-05 05:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1606980848-2052111302-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d6,0a,ab,e8,1a,23,47,b2,95,61,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,f7,d6,0a,ab,e8,1a,23,47,b2,95,61,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(220)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-12-05 05:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-05 13:11
ComboFix2.txt 2009-12-04 21:58

Pre-Run: 35,373,694,976 bytes free
Post-Run: 35,331,186,688 bytes free

- - End Of File - - 3170C9A35CEA174AE9DE95F683BC0489

//Now for the DDS

DDS (Ver_09-12-01.01) - NTFSx86
Run by Fiedler at 16:44:02.31 on 2009-12-05
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1301 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Fiedler\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [IJNetworkScanUtility] c:\program files\canon\canon ij network scan utility\CNMNSUT.EXE
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\fiedler\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\fiedler\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_17.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Monopoly/Images/stg_drm.ocx
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} - hxxp://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Monopoly/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\fiedler\applic~1\mozilla\firefox\profiles\d18w54mv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en|https://calmail.berkeley.edu/|http://berkeley.facebook.com/
FF - prefs.js: network.proxy.http - 128.135.11.149
FF - prefs.js: network.proxy.http_port - 3124
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - plugin: c:\documents and settings\fiedler\application data\mozilla\firefox\profiles\d18w54mv.default\extensions\npdyyno@dyyno.com\plugins\npDyyno.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================

2009-12-05 12:44:52 160 ----a-w- c:\documents and settings\fiedler\defogger_reenable
2009-12-04 21:41:43 0 d-sha-r- C:\cmdcons
2009-12-04 21:40:15 77312 ----a-w- c:\windows\MBR.exe
2009-12-04 21:40:15 260608 ----a-w- c:\windows\PEV.exe
2009-12-04 21:40:14 98816 ----a-w- c:\windows\sed.exe
2009-12-04 21:40:14 161792 ----a-w- c:\windows\SWREG.exe
2009-11-30 08:21:59 0 d-----w- c:\docume~1\fiedler\applic~1\Uniblue
2009-11-27 19:31:29 0 d-----w- c:\docume~1\fiedler\applic~1\Registry Mechanic
2009-11-27 19:11:43 0 d-----w- c:\program files\Defraggler

==================== Find3M ====================

2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 19:03:24 60633 ----a-w- c:\windows\system32\nvModes.dat
2008-05-03 05:55:41 0 -c-h--w- c:\program files\AppUpdate.log
2008-10-06 04:34:57 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100520081006\index.dat

============= FINISH: 16:44:51.46 ===============

//And lastly, the Kaspersky Scan
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Saturday, December 5, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Saturday, December 05, 2009 19:08:50
Records in database: 3333772
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
P:\

Scan statistics:
Objects scanned: 96190
Threats found: 1
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 04:17:27


File name / Threat / Threats count
C:\Documents and Settings\Fiedler\My Documents\SuperBG\SHADOW.SYS Infected: Rootkit.Win32.OGRoot.ae 1
C:\Documents and Settings\Fiedler\My Documents\SuperMusic\SHADOW.SYS Infected: Rootkit.Win32.OGRoot.ae 1

Selected area has been scanned.

Blade81
2009-12-06, 11:11
Hi,

Delete these files:
C:\Documents and Settings\Fiedler\My Documents\SuperBG\SHADOW.SYS
C:\Documents and Settings\Fiedler\My Documents\SuperMusic\SHADOW.SYS


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab and then scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Attach the log in your reply.


How's the system running?

kingsfanatic32
2009-12-06, 23:20
Here's that log from GMER

GMER 1.0.15.15252 - http://www.gmer.net
Rootkit scan 2009-12-06 13:17:14
Windows 5.1.2600 Service Pack 3
Running: npq0ciqi.exe; Driver: C:\DOCUME~1\Fiedler\LOCALS~1\Temp\uxldrpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB778B360, 0x33AACD, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x88 0x57 0x3F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFB 0xB1 0x6A 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0x94 0x1C 0x45 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x16 0x13 0xE6 0xCC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x88 0x57 0x3F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFB 0xB1 0x6A 0x6F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0x94 0x1C 0x45 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x12 0xC5 0xF7 0x46 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA8 0x88 0x57 0x3F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFB 0xB1 0x6A 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x82 0x94 0x1C 0x45 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x16 0x13 0xE6 0xCC ...

---- EOF - GMER 1.0.15 ----

System seems to be running fine after the GMER (only been on it for a few minutes) and it has been stable. Last night after doing the checks and earlier while it was running the GMER scan it appeared to be a bit slow but that might have been just the GMER. I'm going to reboot and see if it keeps up. Thanks for the help, though, it has definitely worked thus far.

Blade81
2009-12-07, 07:19
You're welcome :)

Let me know how it works after reboot.

kingsfanatic32
2009-12-08, 09:55
Well it has been working relatively consistent. It does get very slow after it's been on for a while (ie watching a movie) even with my external fan and it being properly ventilated. I'm thinking that it has something to do though with my hardware/fan or something instead of a virus. Although it is weird that it was only recently that it happened.... When I've rebooted since your last instructions, it always starts running fine. Only after it's been used or running for a bit will it slow down - I'm not sure if it's related to any openings of firefox or another file as I use everything as once. Again, though, thanks for your help.

Blade81
2009-12-08, 11:41
Hi,

When slowdown occurs open the task manager up and check what processes take most CPU (among system idle).

kingsfanatic32
2009-12-09, 20:55
Well, this morning when I popped my laptop out of standby, it was instantly slower. Before I noticed it, I opened firefox but it was taking a while for it to even come up with the window. The only other thing I did was start a Windows update but even as I type this, it is still slow. With task manager up, the processes that seem to take the most CPU are firefox.exe, MRT.exe, System, svchost.exe will sometimes show up and then TeaTimer.exe will go from anywhere around 8-20%. Firefox stays between 30-60%. System and MRT are anywhere between 0-30%. I'm not quite sure what it could be. Like I said, this was right after I logged in from it being on standby and I had never previously had trouble doing this.

Blade81
2009-12-09, 20:57
Hi,

I'd do complete reinstall (remove Firefox profile during uninstall process too) for Firefox and see if it had any effect.

Blade81
2009-12-16, 16:37
Due to inactivity, this thread will now be closed.

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.